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ABSTRACT 


ATKIN’S ECPP ALGORITHM 


Uzunkol, Osmanbey 
M.Sc., Department of Mathematics 
Supervisor: Prof. Dr. Gerhard Pfister 


October 2004, cxxiii pages 


In contrast to using a strong generalization of Fermat’s theorem, as in Jacobi- 
sum Test, Goldwasser and Kilian used some results coming from Group Theory 
in order to prove the primality of a given integer N € N. They developed an 
algorithm which uses the group of rational points of elliptic curves over finite 
fields. Atkin and Morain extended the idea of Goldwasser and Kilian and used 
the elliptic curves with CM (complex multiplication) to obtain a more efficient 
algorithm, namely Atkin’s ECPP (elliptic curve primality proving) Algorithm. 
Aim of this thesis is to introduce some primality tests and explain the Atkin’s 
ECPP Algorithm. 


Keywords: Cryptography, Algorithms, Algorithmic Number Theory. 
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Hergtin bir yere konmak ne gitizel, 
Bulanmadan donmadan akmak ne hos, 
Diinle beraber gitti cancagizam! 

Ne kadar s6z varsa dine ait, 


Simdi yeni seyler sdylemek lazim... 
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CHAPTER 1 


INTRODUCTION 


1.1 Primality Tests 


Primality testing, distinguishing prime numbers from composite ones, goes back 
to very old research of number theory due to Eratosthenes who came up with the 
first primality testing to efficiently generate the set of prime numbers from 1 to 
N in O(N log log N) arithmetic steps by means of the so-called sieve of Eratos- 
thenes method in 3 century BC. Since 17 century, mathematicians have been 
studying primality testing methods in order to distinguish prime numbers from 
composites and factor integers. Fermat’s little theorem enable us to recognize 
most of the composite integers. Owing to the improvements in the area of Data 
security and cryptography, in particular public key cryptography, the importance 
of finding bzg primes has been dramatically increased. Using the extended ideas 
of Fermat’s theorem, Sollovay and Strassen, in 1977, and Miller and Rabin, in 
1980, were developed probabilistic primality tests. Although, the answer prime in 
these tests is not always true, even cannot be proven mathematically, these tests 
especially Miller-Rabin test have been used in public key cryptography to build 
cryptosystems based on factorization of integers, such as RSA and its variants, 
and discrete logarithm problem (DLP), such as Diffie-Hellman and ElGamal. Fur- 
thermore, the answer composite is always true in both of these primality tests. 


Hence, in some texts they are called compositeness tests. 


The first general purpose primality testing algorithm was designed by Adle- 
man, Pomerence and Rumely [10]. The running time of this algorithm was proved 
to be O((log N)@!09'°9'°9N) for some effective c > 0. Although, this algorithm 


is fast polynomial, has expected polynomial complexity, the first appearance was 


vill 


not suited to use in practice. Afterwards this algorithm was made practical and 
simplified by H. W. Lenstra and Cohen in [32], and then implemented by Cohen 
and A. K. Lenstra in [14]. 


1.2 ECPP Algorithms 


In 1985, H. W. Lenstra introduced the usage of elliptic curves in factorization 
of integers. After that Goldwasser and Kilian developed an algorithm with the 
hope of finding a primality test with the help of groups of rational points of 
elliptic curves over finite fields. Their algorithm is called ECPP (elliptic curve 
primality proving) algorithm, which uses the DOWN-RUN strategy of the ellip- 
tic curve analog of N — 1 primality testing method together with a theoretical 
algorithms due to Schoof. They showed that under reasonable hypothesis on the 
distribution of primes in short intervals, the expected running time of ECPP is 
O(log!? N). After the previous success at producing proofs of compositeness, as 
in Sollovay-Strassen and Miller-Rabin, this algorithm produces short proofs of 


primality. This proof is called hence certificate of primality. 


The major difficulty in the ECPP algorithm of Goldwasser & Kilian is to 
find the size of the group of rational points of elliptic curves by means of the 
theoretical algorithms due to Schoof. Although, some progress has been made in 
the direction of making Schoof’s algorithm practical by Atkin in [48] and Elkies 
in [29], Atkin and Morain have found a better idea. They used elliptic curves 
with complex multiplication, abbreviated by elliptic curves with CM, instead of 
using randomly chosen elliptic curves. Their algorithm, namely Atkin’s ECPP, is 
very practical and used to prove the primality of the Titanic numbers, numbers 
which have more than 1000-digits, by using weeks of workstation time. Moreover, 
as for the Goldwasser-Kilian algorithm, it is easy to verify the correctness of the 
result for second programmer, i. e. it gives a certificate of primality for the prime 


candidate N which enable to recheck the primality of N much faster. 
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1.3. About Thesis... 


The aim of this thesis is to explain and overview the important primality testing 


methods and Atkin’s ECPP algorithm. It consists of the following chapters: 


e We will start with basic facts coming from algebra and number theory. 
In particular, we will explain imaginary quadratic number number fields, 
quadratic forms and Cornacchia’s algorithms, which are the basic algebraic 


results used in our primality tests and ECPP algorithm. 


e In chapter 3, elliptic curves and their arithmetic related with primality 
proving will be intensively explained and the necessary background will be 
covered. In this chapter, we will also see how one can deal with problems 
coming together with the computations of the groups of rational points 
of elliptic curves over different fields and in particular over finite fields F,, 
where g = p’, r € N and pisaprime. Further, we will also shortly overview 
the curves with CM and their relation between imaginary quadratic number 


fields and forms. 


e We will overview some primality testing methods in chapter 4. Furthermore, 
we will introduce the so-called Poclingston’s theorem and N—1 (resp. N+1) 
primality testing method, which is a primality testing algorithm based on 
the full or partial factorization of N — 1 (resp. N + 1), where N is a prime 
candidate. This method will enable us to introduce the general idea and 
DOWN-RUN strategy of the ECPP algorithms that we will also give in a 


general form. 


e Inchapter 5, we will explain our ECPP algorithms of Goldwasser-Kilian and 
Atkin, respectively. We will overview the approaches of dealing with point 
counting problem of elliptic curves over finite fields, such as the theoretical 
algorithm of Schoof used in Goldwasser-Kilian ECPP algorithm and CM- 
method in our Atkin’s ECPP algorithm. Moreover, we will see different 
methods and approaches to improve and optimize the Atkin’s algorithm at 
the end of the chapter. 


e The running time analysis of both Goldwasser-Kilian and Atkin will be 


summarized in chapter 6. 


e At the end, we will give implementations of some primality testing methods 
and some parts of Atkin’s ECPP algorithm together with the examples. 
The computer package LiDiA was used to implement and give examples of 
these algorithms in the programming language C++. Some of the number 
theoretical functions and primality tests were implemented in computer 
algebra system SINGULAR, too. 
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CHAPTER 2 


SOME RESULTS FROM ALGEBRA & 


NUMBER ‘THEORY 


In this chapter, we will briefly explain the necessary theory and background 
coming together with elementary number theory, quadratic forms and imaginary 
quadratic number fields. All subjects have enormous literature. We begin with 
some arithmetical results which are basics of our discussions later on. At the 
first, basic arithmetical tasks related to prime numbers will be introduced. We 
will give the Fermat’s little theorem which will be a basic theoretical result in 
our all primality testing and proving algorithms. Secondly we will review the 
preliminaries of algebra and algebraic number theory which are related to our 
N —1 (resp. N + 1) and ECPP Algorithms. Especially the quadratic forms will 


be the basic analogous number-theoretic result of our ECPP Algorithms. 


2.1 Introductory arithmetics 


We will review in this section some arithmetical properties coming from Alge- 
bra which are necessary to develop and define our theoretical results for prime 


numbers. 


Definition 2.1. Let R be a ring and a,b € R. Then 0 is called divisible by a or 
a divides 6 if there exists c € R with b = a.c. 


Remark 2.1. a| b (if a divides b), otherwise a { b (if a does not divide b). 


Furthermore, we have; 0|a@a=0. 


Xil 


Definition 2.2. a € Ris called an identity ifa |1,i. e. dc € R such that 1 = a.c. 


al 


So by definition c is also a an identity and c = a~ is then the multiplicative 


inverse of a in R. 
Definition 2.3. a,b € R are called associate if a | b and b | a simultaneously. 
Corollary 2.1. (R*,.) is an abelian group. 

Proof: See reference [17]. 


Definition 2.4. Let a € R, a £ 0 and a is not an identity element. Then a is 
called irreducible if from the decomposition a = b.c, b,c € R we get b © R* or 


c € R*. If a is not irreducible, then it is called composite. 


Definition 2.5. Let p € R, p ~ 0 and p is not an identity element. Then p is 


called prime element or just prime if from p | b.c with b,c € R we get p | b or 


remrer 
Remark 2.2. In general prime 4 irreducible 
Question: When we have equality? 


Proposition 2.1. If R is an integral domain, then each prime element a € FR is 


irreducible. 


Proof: See reference [17]. 


But again for a general integral domain the inverse of the above proposition 
is false (irreducible # prime). In fact, we need an analog algebraic structure 
which have a division property like integers. Our structure must be in this sense 


euclidean rings. 


Proposition 2.2. Let R be a euclidean ring, then each irreducible element a € R 


is prime. 


Proof: See reference [17]. 


As we see from the above two propositions we can conclude that in euclidean 


rings primes = irreducibles (as every euclidean ring is an integral domain). 
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Uniqueness of decomposition of prime elements 


Lemma 2.1.1. Let R be a euclidean ring,ae R,a #0. Ifa ¢ R*, then there 


exists a prime element which divides a. 
Proof: sce reference [17]. 
Theorem 2.1. Let R be a euclidean ring, a € R, a £0. 


1. Either a € R* or a can be written as a product of prime elements, i.e. 


ds € N and prime elements pj,...,p; so that 
a= [[-:. 
i=0 


2. Let a = ies q; be an another factorisation of a. Then s = ¢ and there 


exists a permutation of the set {1,...,s} such that p; & qr) are associate. 


Actually above theorem tells us that each element of a euclidean ring can be 
written in terms of prime elements (equivalently irreducible elements). We will 
use this idea in our special case R = Z in the next section so as to conclude that 


every natural number has a unique prime number decomposition! 
We will end this basic section with the definition of a greatest common divisor 
and the general version of so-called euclidean algorithm. 


Definition 2.6. Let R be an integral domain, a,b € R, d be a common divisor 
of a & b. Then d is called a greatest common divisor, abbreviated by gcd, of a & 


b, if d’ | d for all common divisor d’ of a & b. 


Lemma 2.1.2. Let R be a principal ideal domain, a,b € R and I = (a,b) be an 
ideal of R which is generated by a and b. If I = (d) withd € R, then d is a gcd 
of a and b. 


Proof: sce reference [17]. 
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Theorem 2.2. Euclid Algorithm Let R be a euclidean ring with euclid func- 
tion ~, a,bE Rb#£0, I = (a,b). 

Set ro = a; ry = band Vi > Or; = Grist + Pigg such that rjsg = O or 
W(rit2) < W(ri41)- 


Then 4 a smallest natural integer « with r,, 4 0 but r,4; = 0 and J = (r,). 


Proof: See reference [17]. 


This theorem implies that for a given a,b € R it is possible to find a gcd d of 
a and b. Note that there exist x,y € R such that d= ax + by. Also note that in 


the general case gcd is not unique! 


Remark 2.3. One can also give for this general case the so-called extended eu- 
clidean algorithm which simultaneously computes d,x and y. See reference [17] 
and [46]. 


At the we will give our first algorithm, namely extended GCD algorithm for 


integers, in a pseudo-code. 


ALGORITHM:extended GCD 
Input: Given a,b € Z with a > 6b, 
Output: d= gcd(a,b) and integers x,y satisfying ax + by = d, 


1. If b=0, then set da, x — 1, y — 0, and return(d, z, y); 
2. Set v2 — 1, 21 — 0, yo — 0, yp — 1; 


3. While b > 0 do the following: 
(a) gq [a/b], r —a— qb, & — %2— 91, Y — Yo — WY, 
(b) G— 0:0 7,2 — 21, Yo — Yi, and yp — y; 


4. Set da, xu — Xo, y — yo, and return(d, x, y). 


At the end of this section, we are going to review the so-called Chinese Re- 


mainder Theorem, abbreviated by CRT for the general case. 
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Theorem 2.3. Chinese Remainder Theorem Let ® be a euclidean ring, 
te N and m,--- ,m € R such that m; and m, are coprime to each other for 
i #j. Then we have 
t 
R/mR = PR/mMR. 
i=1 


Proof: see reference [17]. 


Corollary 2.2. Let R be a euclidean ring, t € N and mj,---,m: € R such 


that m; and m, are coprime to each other for i 4 j. Furthermore, assume that 


a1,°-: ,@ € Rare given. Then 4 x € R with x = a; mod(m,) for 1 <i < t. 


Additionally, x mod (m = ee My°° mz) is uniquely determined. 


Proof: immediate by CRT! 


2.2 Fermat’s theorem and Special prime num- 


bers 


In this section we are going to revisit some properties of prime numbers. After- 
wards, Fermat’s little theorem and related results will be discussed. At the end 
we will see some special prime numbers. Their primality can be tested more easier 


as we will see in Chapter 4. 


Hier we have R = Z. Obviously Z is euclidean. Further its prime elements, 
which are > 0, are called w.l.o.g. prime numbers (Prime elements of Z are p and 


—p, where p is a prime number). 
Theorem 2.4. Euclid There are infinitely many prime numbers. 


Proof: Let M be the set of all prime numbers. M 4 ( as 2 € M. Let now 
p1,---,pPp be the distinct prime numbers and k > 1. Let Q = 14+ nee p; by 
lemma, 2.1.1 4P which divides Q. 

Let P=pj,j > P|Q- | le p; = P| 1 = contradiction to the assumption that 


p; is prime Vi, 1 <i <k. 
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By theorem 2.1 we can conclude that each natural number n has a unique 


prime factorisation. Then 4s € N and prime numbers p,...,p, such that 
i=0 


Notation: If we write down the same primes together we get 


t 

‘ 

n= [> 
i=0 


pi Ap; ifi AJ, e; © N. This is called canonical prime factor decomposition of n. 
Theorem 2.5. Prime number Theorem Let 7() be number of primes smaller 
than ’x’ where x € R. Then 


“ol 
m(x).logz 


lim 
Z—00 x 
Remark 2.4. — 1. Some cryptosystems like RSA needs big prime numbers, such 
as prime numbers of exactly 128 bits in its binary representations. How 
many does such primes exist? 
By using Prime number theorem, we have approximately 7(2!?8)—72(2") = 


9128 9127 = 36 . 
128.log2  127.log2 (~ 1,906.10" primes). 


2. This theorem, as we see above, will be very useful in running time analysis 


of our algorithm in chapter 6. 
Now we will give the definition of Legendre- and Jacobi-Symbols; 


Definition 2.7. Legendre-Symbol Let p > 2 be a prime number and a € Z 


then 
—1 if ais a quadratic non — residue 


a 
() = 0 if gcd(a,n) #1 
+1 if quadratic ais a residue 
Of course we can generalize this definition for any odd integer N instead of a 


prime number p. 
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Definition 2.8. Jacobi-Symbol Let N = [4 p;' be an odd integer with all 


p;'s prime and a € Z. Then (+) is defined as follows: 


ALGORITHM: Jacobi-Symbol 
Input: Given a, N € Z, 
Output: Legendre resp. Jacobi-Symbol (+) , 


1. (Test N = 0) if N =0 output 0 if | a |¥ 1,if | a |= 1 then terminate the 


algorithm; 


2. (Remove 2’s from NV) if gcd(a,N,2) = 1, output 0 and terminate the 
algorithm. Otherwise, 
(a) v — 0 and while v is even set v — u+1 and N — N/2 
(a?—-1) 


(b) if v is even k — 1, otherwise set k — (—1) "8 
(c) if N <0 set N — —N and if in addition a < 0 set k — —k; 


finished?) (Here clearly N is odd and positive) 
a) ifa =O then output 0ifb>1,kifb=1 
b) otherwise set v — 0 and while a is even do v —v+1 anda+«a/2 


(62-1) 


c) if v is odd set k — (-1)" 3k; 


——_~~ ~~ 


(a—1)(b—1) 


4. (Apply reciprocity law) k — (—1)"_ 4k. Then r —| a| anda — 
b mod(r), br and GOTO 3; 


As we already said that our basic number theoretical result is due to Fermat. 
Fermat’s little theorem and the generalization of its inverse (actually inverse is of 
course not true!) will be our basic results in our primality testing and afterwards 


proving algorithms. We will review the results coming with Fermat’s theorem. 


Theorem 2.6. Fermat’s Little Therem Let p be a prime number and a € N 
with gcd(a,p) = 1 then a?~! = 1 mod(p). 
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Proof See reference for example [17]. 


Definition 2.9. A composite number N is said to be pseudoprime to the base a, 
denoted by psp(a),aEe Z,1<a<N—1, if a1 =1 mod(N). 


Definition 2.10. A composite number N is said to be euler pseudoprime to the 
base a, denoted by epsp(a), ae Z,1<a<N-1l,ifaz = (£) mod(N). 


Proposition 2.3. For all odd number a € N there are infinitely many psp(a)’s 
and epsp(a)’s. 


Proof See reference [17]. 


Proposition 2.4. let p be an odd prime , p — 1 = 2!.m, where m is odd, a € Z 
with gcd(a,p) = 1. Then either a” = 1 mod(p) or there exists some j with 
0 <j <I such that a?” = —1 mod(p) 


Proof See reference [17]. 


Definition 2.11. If N is composite and the above conditions are satisfied for 


a € Z then N is called a strong pseudoprime to the base a, abbreviated by 
spsp(a). 


Special Prime Numbers 
Lemma 2.2.1. Let a,b € N anda|n. Then 2*—1 | 2"—1. 
Proof: See reference [17]. 


Corollary 2.3. If M,, = 2" —1 is a prime, then n is a prime. Such primes are 


called Mersenne Primes 


Proof: Trivial by above lemma. 


Lemma 2.2.2. If M,, is prime then n = 2?-'.M, is a perfect number. Conversely 
each even perfect number n has the form n = 2?-!.M,, where M, is a Mersenne 


prime 


X1x 


Proof: Due to Euclid see reference [17]. 


Lemma 2.2.3. If N =2™+1 is prime then m = 2". The numbers Fn = 2?" are 


called Fermat numbers. 


We will discuss in Chapter 4, how for these special prime numbers we can 


apply our tests. 


2.3 Results from Algebraic Number Theory 


In this section we will give the necessary background from the theory of algebraic 
number theory. We are going to explain quadratic forms and their relation with 
imaginary quadratic number fields, which are basics of the theory of Complex 
Multiplication, abbreviated by CM-theory, that we will see in next chapter. These 
results together with CM-theory will enable us to give N — 1 analog of a prime 
number test actually our algorithm due to Atkin. Most of the results needed to 
introduce our algorithm and related literature and references will also be given. 
Note that up to now we have just introduced the number theoretical results 
which are basics of all Primality testing algorithms. We also introduce in Chapter 
4 the so-called Jacobi Sum Test which is also a true primality testing algorithm. 
However, we will not give the prerequisite theory of that algorithm as it is outside 
the scope of this thesis. The necessary background can be covered from the book 
of Cohen [1]. 


Arithmetic in Quadratic Number Fields 
Let D € Z, let VD € C be a root of the polynomial X? — D. Then 
Q(VD) := {a+ bVD |] abe Q}CC. 


Then Q(VD) is a field, namely quadratic number field. If D < 0 (D > 0), then 


it is called complex (real resp.). 


Remark 2.5. Q(VD) is a Q-vector space of dimension 2, a basis for example 
P, = (1,0) and Py = (0, VD). 
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WLOG we can assume that D is a squarefree integer. i. e. D # 0 mod(A4). 
Consider just D = 1,2,3 mod(4). 


Definition 2.12. The map o : Q(VD) — Q(VD); 
o(a+b.VD) =a—b.VD is called conjugate. 


Here are some properties of the conjugate map ¢ : 
1. o(a+ B) = o(a) £0(8), Va, 8 € Q(VD), 

2. aa.) = o(a).0(8), Va, 8 € Q(VD), 

3. o(4) = ae Va, 8 € Q(WD) provided that 6 4 0, 
4. o(3) =0 if and only if 6 = 0. 


Theorem 2.7. Let D be a square free integer. Then Q(VD) is a field with 
Q © Q(VD) CC. Each a € Q(VD) has a unique representation of the form 


a=atbV/D,a,b EQ. 


The map o is an automorphism of Q(VD) which fixes Q pointwise. 


Proof: See reference. [17]. 


Definition 2.13. a’ = o(a) Norm-function: N(a) = a.a’ and trace-function: 
T(a) =a+a’ 


Hence for a given a =a+./D we have N(a) = a? — b?.D and T(a) = 2a. 


Theorem 2.8. 1. The function S : Q(VD) — Q is an epimorphism of addi- 


tive groups. 


2. if a € Q(VD), then we have N(a) = 0 if and only if a = 0 (as D 4 Q) the 
function S* : Q(VD)* — Q* is a homomorphism of multiplicative groups. 
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Now let a=a+bV/D € Q(VD) then we get a relation 


a? = a? + 2abVD + 0°D = 2a (a+ bVD) — a? — BD 
(a) N(q) 
S(a a 


=> a’? — S(a).a+N(a) = 0. 


Corollary 2.4. Every a € Q(VD) is a root of a polynomial in Q[z] of degree 
< 2. A monic polynomial ji. € Q[z] with minimal degree such that wo(a) = 0 is 


called minimal polynomial of a. Further, ig is uniquely determined. 


Definition 2.14. Let a € Q(VD). Then a is called an algebraic integer if 
lta € Zlz]. 


Now we have actually three cases for minimal polynomials of having algebraic 


integers: 
eLetaeZs> uw =r-—ace Za], 
eLletaeQ-Z> py =2-a €¢ Zz], 


e Let a € Q(VD) — Z; a is an algebraic integer & both T(a) € Z and 
N(a) € Z. 


Lemma 2.3.1. Let a € Q(VD). Then a is algebraic integer if and only if 


a has the form 


S(at+bVD),a,bE€Z if a=bmod(2) for D=1mod(4) 
a= 
a+bVD,a,be€Z if D=2,3 mod(4) 


Proof: See reference [17]. 
Let Op be the set of all algebraic integers of Q(VD). Then we have the 


following corollary and theorem; 
Corollary 2.5. Op is a ring. Moreover, it is an integral domain. 


Proof: trivial by above lemma. 
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Theorem 2.9. Op is a free Z-Module of Rank 2, Op has Z-Basis (1, wp) with 


a VD if D=2,3mod(4) 
"| 147d) if D=1mod(4) 


Moreover, Op = ZQ@ wp.Z. 


Definition 2.15. Imaginary quadratic discriminant of an imaginary quadratic 
number field K = Q(./—d), d > 0, square free is equal to 


d if D=3mod(4) 
4d if D#3mod(4) 


Corollary 2.6. The set of all algebraic numbers in K can be given by the fol- 


lowing isomorphy; 


O, = Z+ZV/-d if d#3mod(4) 
: Z 4+ =a if d= 3mod(4) 


Definition 2.16. Order of an imaginary quadratic number field An order 
O in K is asubring of K which is as a Z-Module finitely generated and of maximal 


rank n = deg(K). 


Definition 2.17. An ideal a of O is a sub-O-module, i. e. a sub-Z-module of O 


such that every r € O andi € a we have ri € a. 


Definition 2.18. An ideal a is said to be principal ideal of O, if there exists 
x €K such that a = 2O. Furthermore O is a principal ideal domain (PID) if O 
is an integral domain (for orders it is always the case) and if every ideal a of O 


is a principal ideal. 


Assume Ox is principal order of an imaginary quadratic number field K. Then 
OC Ox. 
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Definition 2.19. Two ideals a, are said to be equivalent, if there exist a, b 
€ K* with a.a = 0.6. 


Equivalent classes form an ideal class U. Every ideal class of Op has an ideal 
of the form; 
—b+ /-D 


aZ+——, 4 foraeN,beZ 


with additionally c = (b? + D)/4a € Z and gcd(a, b,c) = 1. 


Definition 2.20. A fractional ideal i of O is a non-zero submodule of K such 


that there there exists a non-zero integer d with dz an ideal of O. 


Definition 2.21. Let z be a fractional ideal of O. We say that 7 is invertible if 
there exists a fractional ideal 7 of O such that O = 77. Such an ideal 7 is then 


called inverse of the ideal 7. 


Lemma 2.3.2. Let i be a fractional ideal, and set 
i = {x EK, xi CO}, 


then i is invertible if and only if ii! = O. Moreover, if this equality is true, then 


i! is unique inverse of i and denoted by i-?. 


Proof: immediate! 


2.4 Quadratic Forms 


In this section we will introduce the quadratic forms and their relations with 
imaginary quadratic number fields and discriminants. In fact, the idea is that 
quadratic forms & invertible fractional ideals of imaginary quadratic order O are 
the same structure in an imaginary quadratic number field K. This equivalence 
will enable us to find an another one in the next chapter, the equivalence be- 
tween lattices A C C and hence the equivalence between elliptic curves over C, 
which will be then particularly used in CM-theory and at the end in our ECPP 


algorithm. 
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Definition 2.22. A binary quadratic form over Z is a map: 
f:2=3Z f(x,y) = ax? + bry + cz, a,b,c € Z with discriminant D = 4ac — 0’. 
This form is called primitive if gcd(a,b,c) = 1. Hence, it can be identified as a 


triple, i. e. f = (a,b,c). 


Remark 2.6. Quadratic orders can be also represented in terms of matrices 


f(x,y) = (@,y) Gir'e) (;) 


My 


Definition 2.23. Two binary quadratic forms f & g are said to be equivalent, 
abbreviated by (f ~ g), if 3A € SL(2,Z) with M, = A71.My.A. 


This is obviously an equivalence relation. 


Definition 2.24. Binary quadratic forms f in equivalence classes [f] form a 


group called form class group, and denoted by Cl(D). 
Let’s analyse this equivalence classes a little bit more; 


Corollary 2.7. Each equivalence class contains exactly one form (a,b,c) with 
a, b& c are relatively prime and satisfy the following; 


|b |<a<c& (|b |=ao0ra=c=> b> 0). Such a form is called reduced. 
Proof: See reference [11]. 


Theorem 2.10. Let Ox be a principal order of an imaginary quadratic number 
field K, and D be an imaginary quadratic discriminant of Ox. Then define a 


map; 
-b+V=D, 


&: f(x,y) = az? + bryt+e-> aZt+ 5 


with D = b? — 4ac. 
Then ¢ is a bijection between form class group Cl(D) and the ideal class group 
Cl(O). 


Proof: See reference [11]. 
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This theorem says us that ; 
| Cl(D) |=| Cl(Op) | which implies that h(Op) = h(D) 

Review: h(Op) (and h(D)) is by definition the cardinality of Cl(Op) (car- 
dinality of Cl(D), respectively). 


Definition 2.25. Let D be an imaginary quadratic discriminant, n € Z and 


f = (a,b,c) be a quadratic form with discriminant D. If A(x, w) € Z? such that 
n= az? + brew +w? = f(z,w) 


Then n can be represented by means of the function f. Such an n is called Norm 


of an element of Op if there exists 7 € Op with n = a7. 
Question: When have we such a form and how can we compute it? 


Lemma 2.4.1. Let D be an imaginary quadratic discriminant n € Z. There 


exists tT € Op with n = ni if and only if 4n = t? + Dy? has a solution (t,y) € Z?. 


We will end this section to explain the method to compute these diaphontine 
equations. Note that it is not always the case that such a solution exists. In 
order to find such a pair (t, y), we can use so-called Cornaicchia’s Algorithm 
which also give us a chance to know whether or not such a solution exists. This 
algorithm computes essentially for a given rational the continued fraction of the 
square root. This idea was also used so as to factor the integers. Note that finding 
such a pair is equivalent to solving p = <? + dg? for a prime number p. Note 
that this algorithm will be also used in CM-Theory of elliptic curves for a given 


discriminant D. 


ALGORITHM: Cornaicchia’s Algorithm 
Input: Given a square free integer D and a prime number p, 


Output: A solution to p = #? + dy’, if exists, 
1. Let p/2 < x < p be solution to x? = —D mod(p); 


2. p—Qtot x11, k — 0; 
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3: Until 2? = p< a, =7 do: 


(a) 2_ — Gey tk +1+ap4.k—k+1, 


(b) & — x, 9 — V/(p— x5)/d, 


4. if y € Z return (%, ¥), else return ’No Solution’; 


One can also modify the algorithm to get a more efficient method. Here is 


the modified version of Cornacchia due to Cohen. In this method we also do 


not need to use (Z, y) transformation; 


ALGORITHM: Modified Cornaicchia’s Algorithm 
Input: Given a square free integer D and a prime number p such that D = 0 or 
1 mod(4) and | D |< 4p, 
Output: A solution to 4p = x? + dy’, if exists, 


Ai 


(Case p = 2) If D +8 is a square of a natural number return (/D + 8, 1), 


otherwise return ’No Solution’; 


. (Test if it is residue) using Jacobi-Algorithm compute k <— (@ ). If 


Pp 
k = —1 return ’No Solution’; 


. (Compute square root) Compute an integer x such that 72 = D mod(p) 


and 0 < x < p; 
(a) Set rp — p— 2p if rp # D mod(2), 
(b) Set a — 2p, b — ao, and | < [2,/p| 


. (Euclidean Algorithm) if b > J, set r — a mod b, a — b, b — r and 


GOTO step 4; 


. (Test Solution) If | D | does not divide 4p — b? or if C = (4p — b?)/ | D | 


is not the square of an integer return ’No Solution’. Otherwise return 


(x,y) = (6, Vo). 
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CHAPTER 3 


PRELIMINARIES FROM THE 


ARITHMETIC OF ELLIPTIC CURVES 


In this chapter, we will introduce some important results coming together with 
the arithmetic of elliptic curves over different fields. Elliptic curves have an 
extensive literature as they are used in many branches of both theoretical and 
applied mathematics and are closely related with the theory of elliptic functions, 
from which they derive their name. Elliptic curves have been used and studied 
in the recent in the proof of Fermat’s last Theorem. They have been also used in 
factorization of integers, cryptography, and as in our case primality proving for 
more than two decades. Elliptic curves have an extensive usage in cryptography, 
in particular public key Cryptography, since it is possible to reach a reasonable 
security when we compare with other cryptosystems like RSA. Furthermore the 
same level of security can be gained with a reasonable smaller key sizes, and hence 
of smaller memory and processor requirements. Additionally, they give a chance 
to construct cryptosystems based on Discrete Logarithm Problem, abbreviated by 
DLP. In primality proving, an analog method like N — 1 tests will be developed 


by means of complex multiplication (CM-) method of of elliptic curves. 


3.1 Some results from the theory of Elliptic Curves 


Definition 3.1. Let F € Riz, y] be a polynomial of degree d (F' # 0). Then 
C := {(a,y) € R* | F(x,y) =0} 


is called a curve of degree d. 
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Let K bea field and K be an algebraic closure of K, let further (Uae iget yt re 


K"*1_{0}. Define (xp : 41: ... : Z,) as a unique line between 0 and (x9, 21,...,£n): 
Definition 3.2. The n-dimensional projective space over K is the set; 


P® = {(g9 291 2 ce ty) | Gos tipsy ta) CR =O}, 


Notation: n-dimensional projective space over K is also denoted by Po 


Definition 3.3. 1. A point (ap : 41 :...:%,) € P” is said to be a k-rational 
point, if there exists \ € K* so that 


Meer Petty) eR. 


The set of all k-rational points of P” is abbreviated by P”(K). 


2. (40: %1:.-.:4n) are called homogene coordinates of P”. 


Definition 3.4. A subset C € P? is called an algebraic curve, if J a non-constant 


homogene polynomial F € K[z, y, 2] such that C = V(F). 


Remark 3.1. Define L, := V(z) C P’, so that 
lg={(er4: 2) € P? 2 z=0) 2 Pt 


Then there is an isomorhism 
gy. : U, := P? — L, — K? such that (eee 
Then U, is called affine part of P? and L, = P! is called line at infinity. 


Definition 3.5. Let C € P? be an algebraic curve. The affine part of C is the 
subset 
C=] Cn: 


Definition 3.6. An algebraic curve of degree d is said to be smooth, if there 
exists a polynomial F' € K[x, y, z] of degree d such that 


C=V(F) and ((P), F(P), F(P)) # (0,0,0) VP EC. 
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Notation: Let i,(C, L) := denote the number of points of C()L, where L is 


another line (resp. curve). 


Theorem 3.1. Bezout’s theorem Let C,, C2 be two smooth algebraic curves 
in P?. Then 


> tp(C1, Co) = deg(C1).deg(C2). 


PEC1() Ce 
Proof: see reference [18]. 


Definition 3.7. Let C = V(F’) be asmooth algebraic curve of degree d, deg(F’) = 
d. Then Hesse-curve of C' is the set 


OF 
Ho := V (det( a a osini<a) S P? 
iOL; 
Remark 3.2. e For d < 2, we have det (525) is constant, and hence not a 


curve in the concept of the definition 3.4. 


e if det( an 2) # 0, then Ho is also a smooth algebraic curve of degree 


3d(d — 2) if d > 3. 


Definition 3.8. A point P € C is called an inflection point, if there exists a 
tangent L of C at the point P such that ip(C, L) > 3. Then L is called inflection 
tangent of C at P. 


Theorem 3.2. (Let char(K) 4 2) P € C is an inflection point if and only if 
PEC Ae. 


Proof: See reference [18]. 


Remark 3.3. By Bezout’s theorem, there are at most 3d(d — 2) and at least 1 


inflection points over an algebraic curve C. 


Definition 3.9. Let C’ be a smooth algebraic curve of degree 3 and O € C be 


an inflection point. Define 


mee 
U(PQ)4P+Q 
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as follows; 

Let PQ be the line connecting P&Q (tangent if P = Q), Then by Bezouts we 
have PQNC = {P,Q, R} (with multiplicity). Let OR be the line connecting 
O&R then ORNC = {O,R,C}. 

Define P+Q:= S. 


Properties of the function ’+-’: 
1. VP € C we have P + O = P(as O is an inflection point) 
2. VP,Q €C we have P+Q=Q+4+P. 


3. VP €C consider PON C = {P,O0,Q}Set: —P:=Q 
since: P(—P) NC = {P.O,—P} and OONC = {O,0,O} as O is an 
inflection point, we have P + (—P) =O. 


4. VP,Q,R€C: we have (P+Q)+R=P+(Q+R) 
Proof: See reference [16]. Hence we can conclude that (C,+) is an abelian 
group. 
Definition 3.10. An Elliptic Curve is the pair (E,+) where EF is a smooth 


algebraic curve of degree 3 and + is a group structure like above. 


Remark 3.4. The choice of O as an inflection point is not necessary. However 
if we choose O as an inflection point we have the following nice property: 
P+Q4+R=O0S8P,Q and R are collinear. 


Remark 3.5. Let m € Z. Then we define; 


Pee Pape? af me 
pe 


m—times 
ie 0 if m=0 


(|m|).P if m<0 


Theorem 3.3. Weierstrass Normal Form Let F be an elliptic curve and O 


be an inflection point, let also E = V(F) with deg(F’) = 3. Then there exists a 
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projective transformation y 4 
4: P? = P? 
so that B = V(F) with 
F (X,Y, Z) = F(pa(X,Y, Z)) =V?Z+a,XY Z+agY Z?—2>—a.X?*Z—a4X Z?—a6Z° 
Moreover, y4'(O) = (0: 1: 0) is the unique point at infinity of EP. 


Proof: See reference [16]. 


Remark 3.6. With a coordinate transformation, elliptic curve E”’ is an affine 


curve, i. e. 
E'=EUU, ={(a,y) €K? sy? +a, XY +a3Y = 2° + aX? + a6} 


plus a point at infinity O = (0: 1:0). 


Remark 3.7. For char(k) 4 2,3 there is an easier normal form with respect to 


a coordinate exchange. Then EF has a form for EF = V(F) 


F(X,Y,Z) =Y* — X?-aXZ? — 627 and Ja,beK 


that means; 
E={(X,Y)eK?: VY? = X?+4X +b} U{(0:1:0)} 


Proof:See [6]. 


Lemma 3.1.1. Let E be an elliptic curve, then E is smooth if and only if 4a® + 
2160: 


Proof: trivial... 


Theorem 3.4. Let char(K) 4 2,3. Further let E = V(F) be an elliptic curve 
with F(X,Y,Z) = Y*Z — X° — aX Z? — bZ3 with a,b € K (particularly: 4a? + 


XXX 


27b? 40). Moreover, assume that P,Q € E, P,Q #40 and P 4 —Qandw.1l.o-g. 
we have P = (21,4,1) & Q = (22, yo, 1). Then we have; 


P+Q= (1? = 2 — 2: —A(M* — £1 — Za) — ws: 1) 


with \:= 2— and yp := 22" if PAQ. If we have P = Q. Then ; 
jl 


LQ-X LQ-X 
3az+a —a3+ary +2b 
— n =. SS 
d 2y1 and He 2y1 


Proof: See [16]. 
Remark 3.8. If we have y; = 0 > P = —P as we have —(4: y: 1) = (x: -y: 1). 


Remark 3.9. Of course for the general Weierstrass normal form, i. e. if we have 


char(K) = 2,3, the generalized version of this addition process can be applied. 
See [7]. 


Definition 3.11. An endomorphism ¢ of an elliptic curve E is a map 
@: E — E with @(00) = oo. The set of all endomorphisms of an elliptic curve 


forms a ring and is abbreviated by End(£). 


For the structure of the endomorphism ring End(E) we have three choice, 


namely; 


1. End(E) = Z (not possible for curves over finite fields), 
2. End(£) is an order of an imaginary quadratic number field, 
3. End(£) is the maximal order of a quarternion algebra. 


Remark 3.10. We will discuss the second case in detail in CM-theory later! 


Definition 3.12. If we have Z ¢ End(E), then we say that EF has complex 
multiplication, denoted by E with CM. 


Definition 3.13. The j-invariant of an elliptic curve E with A # 0 is defined as 
a constant j(E) = 1728, 4" where A = 4a? + 270’. 
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Lemma 3.1.2. Let E, and E, be two elliptic curves over an algebraically closed 
field K. Then E, and E, are isomorphic if and only if j(E,) = j(£2). 


Proof: see [6]. 


Remark 3.11. 1. If we have j = 0 (resp. 7 = 1728), we have a= 0 andb= 1 
(resp. a= 1 and b= 0). 


2. One can also show that for every 7 € K, there exists an elliptic curve E 
with j(B) =j. 
3.2 Elliptic curves over C 


Definition 3.14. Given a lattice A in C with A = {nw,+mwe | n,m € Z} with 
W1, W2 € C*, 4 ¢ R. 


> wea 


1. A meromorphic function f is said to be elliptic if f(z +w) = f(z), Vw E A. 


2. Weierstrass g-function associated to A is given by 


o(z;w) = 2°? + » ((z-w)*-w”) 


weA\{0} 


Then we have 


(zw) = 277 + Vea) (2 -—w) 7 —w*) if zea 
coo if zeEA 


Maajeen | 


Theorem 3.5. Weierstrass g-function is meromorphic, and it is elliptic (double- 


periodic) and satisfies the following differential equation; 
9 (2)? = 4(z)° — g2(A)@(z) — 93(A) 


with the constants go(A) = 60 D7 .,ca\4o} ar and gs(A) = 140 cay (oy ae 


WwW 


XXX1V 


ProofSee reference [6]. 


Definition 3.15. Two lattices A; and A, are said to be homothetic, if there exists 


A €C such that Ay = AAg. 


Definition 3.16. The j-invariant of a lattice Ais a complex number 


Theorem 3.6. Two lattices A; and A, are homothetic if and only if they have 


the same j-invariant. 
Proof: See reference [6]. 


Theorem 3.7. Let E = (a,b) be an elliptic curve over C. Then there exists 
a uniquely defined lattice A C C so that a = —go(A)/4 and b = —g3(A)/4 


respectively. 
Proof: See [6]. 


Proposition 3.1. Let O be an order in an imaginary quadratic number field K, 


z be an invertible fractional ideal. ‘Then 7 can be considered as a lattice over C. 
Proof: See [6]. 


Theorem 3.8. Let A be a lattice, and o(z; A) the Weierstrass g-function. Fur- 


thermore, assume we have a € C\Z. Then the followings are equivalent; 
1. g(az) is a rational function. 
2. AACA. 


3. There exists an order © in an imaginary quadratic number field and A is 


homothetic to an invertible fractional ideal of that order O. 


Proof: See [6] and [5]. 
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Theorem 3.9. Let FE be an elliptic curve over C and A be the corresponding 
lattice. Then; 
End(£) = {ae ClaAc A}. 


By the above two theorems we have; 
End(£) of an elliptic curve E is an order O of an imaginary quadratic number 
field if and only if the lattice A is homothetic to an invertible fractional ideal 7 of 


O. 


= 4d bijective map between set of invertible fractional ideals of imaginary 


quadratic orders and set of isomorphy classes of an elliptic curve. 


= particularly we have j(i) = j(£), where j(i) and j(£) are j-invariants of 


imaginary quadratic order O and elliptic curve E, respectively. 


Theorem 3.10. Let O be an order in an imaginary quadratic number field K, i 
be an invertible fractional ideal of the order O. Then j(2) is an algebraic integer 


of degree maximal h(Q). 


Proof: See [5]. 
Review: By previous chapter we have h(Q) as the cardinality of the ideal 
class group Cl(Q). 


Let now K be an imaginary quadratic number field with maximal imaginary 
quadratic order Ox. Then one can represent the ideal class group Cl(Ox) of Ox 
with the represantatives; 

i1,°** ,thp 
where represantatives are lattices over C. Hence j(7i1),--- ,j(tn,) will determine 
the 7-invariants. 
Let £ be the smallest Galois extension of K, in which each j(i,), 0 < s < hp is 
contained. 


= we have then an isomorphism C/i, — E;,(C). 
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Let now F be an elliptic curve over C with End(E) ~ Op and i1,--- ,ip are 
elements of the ideal class group Cl(Op). Let further ¢ denote the elliptic curve 


over £ and be given as follows; 

jo = (tk) 
for some k € {1,--- , hp} with « = jo/(1728 — jo) and € = (3k, 2k). 
=> Lattices of E and e€ are homothetic! 


Theorem 3.11. Let K be an imaginary quadratic number field, Ox be the ring 
of algebraic integers in K. Then there exist exactly hp isomorphy classes elliptic 
curves with complex multiplication (CM) with Ox where D is the imaginary 
quadratic discriminant of Ox. Moreover, they can be defined over Hilbert Class 
Field Hx. Class polynomial of a Hilbert Class Field is 


hp 


Hp(X) = [[(X — i(é,)) 


s=1 
Proof and details: see reference [6], [5] and their references. 


3.3 Elliptic curves over finite fields F, 
Definition 3.17. Let E be an elliptic curve over a finite field F,. The q’”-power 


of Frobenius map is defined by 


(x,y) (24,y4 


ne — E(F;) 
Y: ) 
OnO 


It is also easy to see that y maps points on F to points on EF, i. e. it respects 


the group law. In fact y is a group endomorphism of FE over Fy. 


Corollary 3.1. — 1. Let E be an elliptic curve over F,. then we have 


| E(Fq) |=q+1-t 
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where t is the trace of Frobenius at q. 


2. The Frobenius endomorphism y and the trace of Frobenius satisfy the fol- 


lowing functional equation 


yg” — [tly + [a] = [0] 


that is for a given point P = (x, y) on the curve (given in affine coordinates) 


we have the following functional equality 


(x,y) — [(e,y") + lal(e,y) =O 


Note: addition and substaction are curve operations! 


Proof: see reference [6]. 


Theorem 3.12. Hasse Let p be a prime number and q = p", n € N. Let also 


E be an elliptic curve over F,. Then 


|| E(Fq) |-(@ +1) Is 2V¢ 


Proof: See [6]. 


Definition 3.18. Let E be an elliptic curve over F,,, where p is a prime number. 


Let also | E(F,) |= p+1. Then E is called supersingular. 


Lemma 3.3.1. [f E is a supersingular elliptic curve over F,. Then End(E) is 


the maximal order of a quarternion algebra. 


As we already discussed we have just 2 choices for the endomorphism ring 
of an elliptic curve over finite fields. (As it is the case for finite fields that 
End(E) # Z)). The second case is the case of above lemma and the important 


case is explained by means of the following theorem; 
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Theorem 3.13. Let E be an elliptic curve over F,, where p is a prime number. 


The endomorphism ring of F is an imaginary quadratic order if and only if 
| E(F,) |Ap +1. 
Proof: sce [6]. 


Remark 3.12. Let T € Op be a prime ideal with O/T = F,. Furhermore, 
€ = (a, 2) isanon-supersingular elliptic curve over £ and let FE = (a mod YT, 3 mod YT) 


be the reduced curve modulo YT. 


A curve € has a good’ reduction modulo YT if EF is again a non-supersingular 
elliptic curve. It means 
j(€) mod(T) = j(E). 
Theorem 3.14. If 7 € F,, 7 € 0, 1728, then there exist maximal two isomorphy 


classes of elliptic curves over F,. If 7 = 0 (resp. j = 1728), then there exist 


maximal 6 (resp. 4) isomorphy classes. 
Proof: sce also for details [6]. 


Theorem 3.15. Deuring Let Ox be a maximal imaginary quadratic order. 
Moreover, let ¢ be an elliptic curve over Hp with End(e) = Ox and let further p 
be a prime ideal of degree 1 (i. e. p = pH) and (P) = p.p for that P has a ’good’ 
reduction. Then, End(e) = End(£), i. e. End(E) = Ox. 


Proof: see [6] and [5]. 


=> Jd some a € Ox with p = 7.7, and then 


| E(Fp |= p+1—(x +7) 


3.4 Fast Point Addition and Multiplication 


At this position, we will give some algorithms and methods to find a random 


point on a given elliptic curve and discuss the efficient fast point addition and 
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multiplication methods appeared in our computations later. 


By Hasse’s theorem, we can conclude that for a given gq we have a range of 
4,/q about the value q+ 1. In order try to find a random point for a given elliptic 
curve over F,, we can use the following algorithm due to [7] with almost uniform 


distribution of elements of Fy. 


ALGORITHM: Determining a random point in F, 
Input: An elliptic curve over Fy, 


Output: A ’random’ point P € F,, 
1. Do the the following; 


(a) Pick a random x € Fy; 
(b) Substitute 2 for X in the Weierstrass form of the curve EF; 
(c) Try to find out Y; 
(d) If such y’s can be found, choose one and set P = (2, y). 
2. Until such a point P is found 
3. Return P. 


For prime fields F,,, each orders occur with an almost uniform distribution for 


details see reference [43]. 


3.4.1 Point Addition 


We will concentrate our attention only on p > 3 not for caharacteristics 2 or 3, 
as we do not need such characteristic in our furher discussions (for fields of char- 
acteristic 2 of cryptographic interest, there are analogus methods as we describe 
here for details see [7]). Our obeservations in point addtion and multiplication 


are also based on the results from [7] and its references. 
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Affine Coordinates 


Review: As we already discussed for the fields characteristic is not equal to 
2 or 3, for a given two points P; = (#1,y,) and Py = (22, y2), given in affine 
coordinates, such that P,,P: 4 O and Pi # —P» (these two conditions can be 
trivially checked), we have P; + Pp = P3 = (23, y3) and this can be compute as 
follows 
1. TE Py A Po, 
(a) )= mw 


w2-2%1? 


(b) 3 > MF — %1— XQ, 


(¢) y3 = (21 — @3).A — 23 — 1. 


e For P, # Ps, we have one field inversion and three field multiplications, 
which can be abbreviated by 1Z + 3M. 


e For P, = Py», we have one field inversion and four field multiplications, 
which can be abbreviated by 1Z + 4M. 


Remark 3.13. We can neglect in this case the cost of field addition and mul- 
tiplication by small constants (for example in the computation of for the case 
P, = Pp). 


Projective Coordinates 


As we already explained, too, a projective point P = (X,Y,Z) satisfies the 


following Weierstrass equation 


YA7 = Xx 7 Pb 
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If Z # 0, it corresponds to the affine point (X/Z,Y/Z). Hence, it turns out 
that other projective representations can lead to more efficient implementations. 
In particular, we will prefer ‘weighted’ projective representation, i. e. (X,Y, Z) 
will correspond to (X/Z?, Y/Z?) whenever Z # 0. It is equivalent then to using 


projective curve of the form 
Y? = X°+aXZ* + bZ°. 


Then the zero point O = (y7, y?,0) for some 7 € F,. One can easily see that con- 
version from affine to projective is trivial, while conversion in the other direction 
costs 1Z +4M. 


The key observation in connection with weighted projective coordinates is 
that point addition can be done using field multiplication only, with no inversions 
required. The total costs is then 16M (for details see [7]) 


3.4.2 Fast Point Multiplication 


Here point multiplication on the group of rational points of elliptic curves is the 
special case of the problem of exponentiation of in general abelian groups (as 
we use multiplication symbol for general setting of abelian groups). Therefore, 
this problem corresponds to the related shortest addition chain for integers, i. e. 
starting from 1, and computing at each step the sum of two previous result, what 
is the least number of steps required to obtain k? 

Certain characteristics of the elliptic curve version of the problem must also be 
taken into account to obtain faster computational methods and hence algorithms, 
although general methods of exponentiation can be used to solve point multipli- 


cation problem. 
We will not give details in the analysis of these algorithms that we will give 


below. These can be found in [7| For the sake of correctness, when analyz- 


ing the complexity of the section, and for simplicity we will consider the case the 
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field of char. 2 which can easily be extended for our case p > 3, where p is a prime. 


ALGORITHM: Point Multiplication: Binary Method 
Input: A point P and an I[-bit integer k = as k52?, 
Output: Q = [k].P, 


1Q<-0O; 


2. For 7 =!1—1; to 0 do; 


(a) Q = [2]Q; 
(b) if kj; =1 then Q—Q+P; 
CO ce etl 

3. Return Q. 


Our second method is m-ary method, where m = 2” for some r > 1 and hence 


binary method is the special case of this method corresponding to r = 1. 


ALGORITHM: Point Multiplication: m-ary Method 
Input: A point P and an integer k = Eee, kjymi, k; € {0,1,--- ,m—1} 
Output: Q = [k].P, 


1. Precomputation 
(a) P, — P; 
(b) For ¢ = 2; tom — 1 do; 
i. P, — P,_1+ P (we have P; = [i].P); 
i. @C itl. 
(c) QO; 
2. Main Loop 
(a) For 7 =d—1; to 0 do; 


i. Q — [m]Q (this requires r doublings.); 
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ii, Q—Q4+ Py: 
ie eee 
(b) Return Q. 


It can be easily verified that the algorithm computes |k].P, following the 


Horner’s rule 
[rm] (- ++ [m]([m] ([Ai-a]P) + [Av-2]P) + +++) = [A]P. 


The doubling in the main-loop can be exploited to obtain additional savings: by 
splitting the computation of [m]Q into two different stages, one can skip also 
the multiples of P in the precomputation. this leads to an improvement on the 


m-ary method, this modified version of m-ary method will be our third algorithm. 


ALGORITHM: Point Multiplication: m-ary Method 
Input: A point P and an integer k = ee kjmJ, kj € {0,1,--- ,m—1} 
Output: Q = [k].P, 


1. Precomputation 
(a) Pi — P, Py — [2]P; 
(b) For i = 2; to (m — 2)/2 do; 
Le. (Pape Pop a Ps 
Ll. 8-3 el. 
(c) QO; 
2. Main Loop 


(a) For 7 = d—1; to 0 do; 
i. If k; #0 then do 
A. Let s;,h; be such that k; = 2°h, 
B. Q < [2"-*|Q (this requires r doublings.); 
COHK GLP: 
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Di #291, 
ii. Else s; — r 
A. Q = [2%]Q; 
Boge, 
(b) Return Q. 
Note that a slightly modified version of horner’s method proves the correct- 


ness of this algorithm, too. At this stage we will once more generalize the method 
and give the so-called Sliding Window Method. 


ALGORITHM: Point Multiplication: Sliding Window Method 
Input: A point P and an integer k = we kj2’, kj; € {0,1} 
Output: Q = [k].P, 


1. Precomputation 
(a) Pi — P, Py — [2]P; 
(Bb): Hora = 1¢ t6/2" + =4 do: 
1. Popp — Poy + Pa; 
lt =e Ls 
C.F lo 1a O; 
2. Main Loop 
(a) While 7 > 0 do 
i. Ifk; = 0 then 


A. Q€ [2]Q, 
B. 7 j-1. 
ii. Else do: 


A. Let t be the least integer such that 7 -t+1<randk,=1 
C.Q—pi]Q+ Py, 
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D. 7<t-1. 
(b) Return Q. 


It is time now to mention the so-called Signed Digit representations, it is the 
case that the subtraction in the group of rational pints of elliptic curves has vir- 
tually the same cost as addition. For canonical curve representations the negative 
of a point P = (x,y) is (x, + y) in characteristic two, and (xz, —y) in odd char- 
acteristic. This leads us to reduce the number of curve operations by means of 


addtion-subtraction chains in point multiplication method. 


Consider now integer representations of the form k = Ss s;2/, where 5; € 
{—1,0,1}. It is said to be then binary signed digit, abbreviated by SD, repre- 
sentation. This representation includes all integers 0 < k < 2'*! — 1 along with 
their negatives. This redundancy can be traded off for a sparsity constraint which 


results more efficient point multiplication algorithms. 


Definition 3.19. An SD representation is said to be sparse, if it has no adjacent 
non-zero digits, that is S;s;4; = 0 Vj > 0. A sparse SD representation is also 


called a non-adjacent form, denoted by NAF. 


Lemma 3.4.1. Every integer k has a unique NAF. The NAF has the lowest 
weight among all SD representations of k, and it is at most one digit longer than 


the shortest SD representations of k. 


Proof: See references also for more details [39], [88] Chapter 10, [37]. 
Our next algorithm computes the NAF of a non-negative integer given in bi- 


nary representation. 


ALGORITHM: Conversion to NAF 
Input: An [-bit integer k = a; k;2, kj; € {0,1} 
Output: k = ae s;2), 8; € {-1,0, 1} 


1. co — 0; 


2.. For 7 = 0* tet do: 
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(a) cj4a — (Kj + kj41 + c;)/2| (assuming that k; = 0 for i > 1); 
(b) 83 — ky + 5 — 2cj41; 
(c) 7-741. 

3. Return (s;S7-1 +++ So). 


It is by Morain and Olivos showed that NAFs have fewer zeros than binary 


representations, i.e. they proved that in expected weight of a NAF of length / is 
[/3. For details see [36]. 


Now we will give a slightly generalized algorithm sliding window method, 


namely Signed m-ary Window Decomposition. 


ALGORITHM: Signed m-ary Window Decomposition 


Input: An /-bit integer k = 77 kj2’, kj € {0,1}, ky =0 


Output: A sequence of pairs {(b;, e;)}429 
1.d<—0,j7 — 0; 
2. While 7 < 1 do; 
(a) Ifk; =0 
Ge gt 
(b) Else do 


i. t-— min{l,j+r—1}, ha — (heki-1--- kj )o. 
ii. If hg > 2"~! then do: 
A. bg — hg — 2", 
B. increment the number (kyky_1 +--+ kr41)2 by 1. 
iii. Else 
A. ba <— ha, 
B. eg j,d-—d+1,7+t4+1 


3. Return the sequence (bo, €o), (01, €1),°°* , (ba—-1, €a—1) 
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Proof of the correctness of algorithm: The correctness of the algorithm 


is verified inductively by ascerting the the condition 


d-1 l 
k= S57 d2% +50 bah 
i=0 


j=3 


each time the loop in Step 2 is checked. As j > J, the second sum of the 
above equation vanishes, giving the desired decomposition of k, then the proof 
is straightforward. The only observation here is that the condition in step b.ii 
holds, then b.ii.A substracts 2/+" from the sum in equation and b.ii.B adds it 


back as we have t =j7+7r-—1. 


Now after having the sequence of {(b;, e;) 425, the modification of the sliding 


window method is easy to construct. 


ALGORITHM: Signed m-ary Windows 
Input: A point P, and such that k = pa be 
Output: Q = |k|P. 


e Precomputation 
1. Pi — P, P, — [2|P 
2. For i =1 to 2-2-1 do 


(a) Pois1 — Pais + po, 
(b) i t+1 
3. eee a er 


e Main Loop 


1. Fori =d—2 to 0 
(a) Q<— [2% @]Q, 
(c) Else QQ - Ps, 
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(d) ie il. 
2. Q< [2°|Q, 
3. Return Q 


Using the analysis analog to that of unsigned window scheme, one can derive 


the correctness of the algorithm for details see [7]. 


3.5 Point Counting and Other Problems 


Remark 3.14. There are also other concepts of elliptic curves coming together 


with primality proving algorithms and public key cryptography, some of these are 


followings 


e Determining the Group Order, point counting algorithm, of rational points 


of elliptic curves over finite fields. For these there are lots of approaches, 


— Baby Step-Giant Step Schoof’s Algorithms, ant its variants e. g. 


due to Etkies’ and Atkin’s based on the variation of Hasse’s theorem. 


— Counting the points by means of constructing non-supersingular ellip- 


tic curves with complex multiplication. 


Discrete Logarithm for elliptic curves, abbreviated by ECDLP, which gives 
a change to obtain analogus cryptographic protocols like ElGamal and 
Diffie-Hellmann. Note that according to Pohling-Hellmann approach solv- 
ing DLP modulo n, where n is order of an abelian group G, 

nN = pi' ps -:: P& is equivalent to solving each DLP modulo p;, where p;’s 


are prime for 1 <i <r. 


Note: We will introduce the concepts of Point Counting Problem in details 


in Chapter 5 & 6. Because of the fact that primality proving algorithms of Gold- 


wasser & Killian and Atkin’s are principally based on the Point Counting Problem 


and hence Schoof’s approach (or its variants) and CM-method, respectively. 
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We will also see computationally efficient methods of the above concept in 
a detail and try to get efficient methods in particular for curves with complex 
multiplication. Furthermore, we will also see how the results coming from the 
arithmetic of elliptic curves over C or Q and the results of Algebraic Number 
Theory that we developed in the former chapter will be applied in our primality 


testing and proving algorithms. 


For more general treatment of the theory of arithmetic of elliptic curves and 
their usage in extensive areas of both applied and theoretical mathematics can 
be found in [6] and [5]. Furthermore, for the usage of elliptic curves particularly 


in Cryptography, Coding theory and Factorization of integers see [1] and [38]. 


CHAPTER 4 


PRIMALITY TESTING AND PROVING 
ALGORITHMS 


In this chapter, we are going to introduce and explain different primality testing & 
proving algorithms. We will start with a historical prime listing method, namely 
sieve of Eratoshenes, which will give us a possibility up to a given bound, say it 
up to 10'°, to store prime numbers and therefore enables us to verify whether a 
given prime candidate N, N < 10°, is prime by means of just checking whether 


it is divisible by any of the list element. 


Question 
e What is a Primality Test / Primality Proof? 
e What is the meaning of certificate in our context? 


Definition 4.1. — 1. If our algorithm gives us a possibility to reprove the pri- 
mality of the candidate mathematically then we say that our algorithm is 


a Primality Proving algorithm. 


2. If with our algorithm it is not possible to recheck mathematically that our 
candidate is prime, then we say that our algorithm is a Primality Testing 


algorithm. In that case we have also two possibilities; 
(a) An algorithm is said to be a True Primality Testing, if it can determine 
with mathematical certainty that our candidate is prime. 


(b) An algorithm is said to be a Probabilistic Primality Testing, if our 


candidate is a probable prime. 


3. If it is possible to reprove the primality of our prime candidate, then we say 


that it has a (primality) certificate. 


4.1 Prime Number Generation 


In this section, we will explain a very historical primality listing methods. For 


generalization and modern methods see [2]. 


ALGORITHM: Sieve of Eratosthenes 
Input: A natural number B, B > 2, and the set £L = {2} 


Output: Prime numbers between [2, B], 


1. List the numbers n € [2, BJ, for example a; = i, 2 < i < B and initialise 
p= 2; 
2. While p < B do: 


(a) Start with p and delete all n’s of the form k.p with k > 2; 
(b) Find the smallest non-deleted number p’ with p’ > p, then £ = LU{p’}; 
(c) p~p’' and goto b; 
3. Return L. 
Remark 4.1. One can improve the efficiency in the followings 


e Considering just 7 € [2, B], or better the numbers coprime to 210 = 2.3.5.7. 


e One can also generalize the sieve to the intervals [A, B], such as [A, A+ 10°]. 


4.2 Trial-division Method 


The easiest way to test whether a number is prime or not is the so-called trial 
division. If a given number N € N is not divisible by any of the primes < VN, 
then we can conclude that N is prime. (As if N=ab,l1<a<b<N=> 
a? <ab=N => p* < N for primes p | a) Of course, since the complexity is 
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O(VN), it is not possible for big numbers to use this method (say it more than 
100-digits).But one can use trial-division to factor an integer to test whether we 
have small factors or not. Therefore, ideally it can also be used at the first up 
to a given bound in before terminating our more advanced algorithms later. One 
can choose a bound B and by means of sieve of Eratosthenes store the primes in 
a list to see at the first if our prime candidate is divisible by any element of this 
list. Of course if it is the case, we can conclude that our candidate is composite 


and divisible by that element of our previously chosen list. 


4.3 Fermat’s Primality Test 


According to the Fermat’s last theorem, one can consider that whether we have 
somehow an inverse of Fermat so that we can apply a Primality Testing based on 
this inverse. But unfortunately such an inverse does not exist. But we can have 


a compositeness Test owing to the following Corollary of Fermat. 


Proposition 4.1. A number N is composite if there exists a € N such that 
aN 41 mod(N). 


Proof : trivial by Fermat’s theorem. 


Definition 4.2. The composite number N which passes Fermat’s test is called 
Carmichael Number. The smallest such a number is 561 = 3.11.17 


Theorem 4.1. There are infinitely many Carmichael Numbers. 


By above theorem it is clear that Fermat test can not guarentee at all whether 
the checked candidate is a true prime. However this test enables us to detect most 
of the composite numbers at the first. Furthermore, by means of generalization 
of Fermat’s and trying to get a generalized version of inverse of Fermat’s theorem 
will give us a change to introduce the N — 1, N +1, and hence at the end 
Jacobi-sum and ECPP algorithms. There are also other probabilistic primality 
tests by means of generalizing Fermat. In the next section we will deal with such 


algorithms. They are also used with some modification in cryptographic protocols 
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when the true primality testing and proving algorithms are not available or not 


required to guarantee a reasonable security of the considered cryptosystem. 


4.4 Probabilistic Primality Testing Algorithms 


Now it is time to give the probabilistic primality tests, namely Solovay-Strassen 
and Miller-Rabin Tests. The idea is to use the definitions of pseudoprimality, 


euler pseudoprimality and at the end strong pseudoprimality. 


4.4.1 Solovay-Strassen Probabilistic Primality Test 


Now Solovay-Strassen Algorithm will be given. This and Miller-Rabin Algorithms 
are actually probabilistic algorithms. The answer composite is always true , 
hence they are called in some texts Compositeness Algorithms. Moreover, if the 
candidate is prime then the answer is always ’ prime’. However, it is possible to 


have a false answer ’ prime’, though the candidate may actually be ’composite’. 


ALGORITHM:Solovey-Strassen 
1. N EN, N is odd; 
2. choose a number t € N randomly and for 1 <i < t choose a; randomly; 


3. For 1 <2 <t¢ compute 
(a) ¢; = (“) mod(N) with reciprocity law 
N-1 
2 mod(N); 


4. if b; 4 a; for some i,then Return: ’composite’ ; 
5. else Return: ’possibly prime’; 


Proposition 4.2. Solovay-Strassen error-probability bound Let N be an 
odd composite integer. The probability that the Solovay-Strassen test declares 


N to be ’prime’ is less than ($)!. 
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4.4.2 Miller-Rabin Probabilistic Primality Test 


We just generalize the above idea of Sollovay-Strassen by considering strong pseu- 
doprimes instead of Euler pseudoprimes (because spsp < epsp < psp ). We there- 
fore introduce the Miller-Rabin Test, which is also called strong pseudoprimality 
test. 


ALGORITHM: Miller-Rabin 
1. N EN, N is odd, set N = 1 + 2!.m, where m is odd; 
2. choose a number t € N randomly and for 1 <2 < t choose a; randomly; 


3. Test for 1 <i<t 
(i)whether a!” = 1 mod(N) 
(ii)or there exists j with 0 < 7 < / such that qzm =] mod(N); 


4. if both (i) & (ii) are false, Return:’composite’; 
5. else Return: ’possibly prime’; 


Proposition 4.3. Miller-Rabin error-probability bound Let N be an odd 
composite integer. The probability that the Miller-Rabin test declares N to be 


’prime’ is less than ($)’. 


Remark 4.2. fixed bases in Miller-Rabin a strategy that is sometimes em- 
ployed is to fix the bases a in the Miller-Rabin algorithm to be the first few primes 
(composite integers may be ignored using iteratively the Miller-Rabin), instead 
of choosing them at random. Note that trial division and the so-called prime list 
may be used at the first to reduce the unnecessary computation in Miller-Rabin 
algorithm, i. e. choose a bound B and list all primes p < B and use at the first 
trial division to guarantee that the given candidate is not divisible by any of these 
primes < B. For instance, if one chooses B = 256, then %80 of composite odd 


numbers can be discarded before employing Miller-Rabin. 


Remark 4.3. Let’s compare Sollovay-Strassen & Miller-Rabin algorithms ac- 


cording to [2]: 
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1. The Soolovay-Strassen test is computationally more expensive. 


2. The Sollovay-Strassen test is harder to implement as it also involves Jacobi 


symbol computations. 


3. The error probability for Sollovay-Strassen is bounded by (3), while the 
error probability for Miller-Rabin is bounded by (4)*. 


Therefore we can conclude that there is no need to use Sollovay-Strassen 
instead of Miller-Rabin. 


4.5 N-—1 Primality Testing Algorithms 


There are also some primality testing algorithms based on the inverse of the Fer- 
mat’s theorem. Indeed, our aim here is to get an inverse of Fermat by using some 
additional informations. Actually if we can factor the number N—1 completely or 
partially one can give a proof of primality with some extra informations. We will 
now give the most important proposition of both N — 1 (resp. N + 1) primality 
testing algorithm and our ECPP Algorithms. 

Theorem 4.2. Lucas Let a, N € N with gcd(a, N) = 1. If a’~! = 1 mod(N), 


N-1 


but a~@ #1 mod(N) for every divisor d > 1 of N —1, then N is prime. 
Proofsee [17]. 


Theorem 4.3. Let N ¢ N, N —1 = J]j_, p%. If there exists a € N with 
aN-1 = 1 mod(N) but an # 1 mod(N), then N is prime. 


Proofsee [17]. 


Theorem 4.4. Let N € N, 2| N, and N—-1=[][5_, pf for 1 <i <t. If there 
N=1 


exists a; with a/’~' = 1 mod(N), a; * #1 mod(N), then N is prime. 


a 


Proof see [17]. 
Note that in order to apply any of the above theorem, we need the complete 
factorization of N — 1. Mostly, it is not possible to have such complete factoriza- 


tion, but we have one of the divisor of N — 1 which satisfies some properties then 
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we can also test the primality of the candidate N. 


Pocklingston’s theorem will be the center of such partial factorization of N—1, 


as we will see, we can get also depending on this theorem other testing criterias. 


Proposition 4.4. Pocklington’s Theorem Let p be a prime divisor N-1. As- 
sume that we can find an integer a, such that a)’~! = 1 mod(N)and (a)! — 
1,N) =1. Then if d is any divisor of N, we have d = 1 mod(p*”), where p® is 
the largest power of p which divides N-1. 


proof: It is enough to look at all prime divisors of N.Now if p is a prime 

= 1 mod(d), since a, is coprime to N hence to d. On 
N-1 

the other hand , we have ap” #4 1 mod(d), as (a?’~'—1, N) = 1. Ife is the exact 

order of a, modulo d, then we have e divides d-1 but not A but e divides N-1. 


hence p” | e | d—1, hence d = 1 mod(p”). 


divisor of N, we have a 


Proposition 4.5. Assume that we can write N—1 = F.U where (F,U) = 1, F is 
completely factored and F > VN. Then, if for each prime dividing N we can find 
an a, satisfying the conditons of Pocklington, then N is prime. Conversely, if N 
is prime , for any prime p dividing N-1, one can find a, satisfying the conditions 


of Pocklington. 


Corollary 4.1. Assume that we can write N—1 = F.U where (F,U) = 1, 
F is completely factored, all the prime divisors of U are greater then B, and 
B.F > VN. Then, for each p dividing F we can find an a, satisfying conditions 
of Pocklington, and if furthermore we can find an ay cuch that aj}~' = 1 mod(N) 
and (aj; — 1, N) = 1, then N is prime. Conversely, if N is prime, then a, and ay 


can be always found. 


4.5.1 Test 


Now we will give N — 1 algorithm by means of a pseudocode. At the first we will 
give an algorithm for the case that we can have the full factorization of N — 1, 


in the second case we concentrate our attention on partially factorized case. 
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ALGORITHM:N — 1 Test (Fully factorized N — 1) 
Input: N € N, N is odd, the bases a;, 0 < i <r, which passed Miller-Rabbin 
test, 


Output: ’prime’, or ’composite’. 
1. Set i = 0 (mp first base); 
2. Determine s,¢ such that N — 1 = m?'t; 
3. While 7 < k do: 


(a) if mf =1 mod(N), then i —7i+1, 
(b) while k < s do: 
e If m?'t = —1 mod(N), i i+1 and STOP, 
ek —k+1, 
(c) If k = s return ’composite’. 
4. Return ’prime’. 
Now if we cannot factorize the N — 1 fully we will just test the conditions of 


Pocklington in the following algorithm: 


ALGORITHM:N — 1 Test (Partially factorized N — 1) 
Input: N € N, N is odd, P is a prime divisor of N — 1, and Q = [[/_p py’ isa 
divisor of N — 1 with prime factors p;’s such that N —1=Q.P with Q < P. 


Output: ’prime’, or ’composite’. 
1. Choose an natural number a € N such that 1<a< JN, 
2. If aN-! £1 mod(N), then GOTO 1, 
3. If gcd(a® — 1, N) £1, then GOTO 1, 


4. Return ’prime’. 
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4.5.2 certificate 


The so-called DOWN-RUN method to get the pairs (i,m;), together with expo- 
nents we get the so-called certificate. In fact if we store these datas, for a second 
programmer it is possible to verify the primality or compositeness of the result 


once more. 


4.5.3 Special primes 


Easiest form is N —1=2”™ 


Let n € N be an odd integer. We know that 
goa A 


=l+ar+---4 
ree x x 


Let us substitute x with —x, then we have 


Cy a laat--+(-2)*t> SH a tiete-tae%™ Sartl|o"+1, if 


we have n = 1 mod2. 

Let m = bu, where wu is odd, then x := 2? > 2®+1/2"%41=N. According 
to lemma 2.2.3 we have then together with theorem 3.3 that if a € Z with 
a’--1 = | mod(F,), and a@-Y/? 4 1 mod(F,,), then we can conclude that Fy, is 
prime, where F,, = 2?" +1. 


Theorem 4.5. Peppin Let n > 1. Then F;, is prime if and only if 
a0) Sl mod(F,,). 
Theorem 4.6. Let n > 2andp| F,, pis prime. Then we have p = —1 mod(2”*). 
Note: Proofs of the above two theorem see [17]. 
With the help of the Poclington’s theorem we can conclude also the following 


results 


Theorem 4.7. Let N = K.2"4+1,24{K,0< K < 2°42. Then N is prime if 
and only if da € Z with a = = —1 mod(N). 
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Theorem 4.8. Let N = K.2"+1,n > 2, K is odd and 3 { K. Furthermore, 
assume that we have 0 < K < 2” +2. Then N is prime if and only if 
3°2 =—-1 mod(N). 


4.6 N+1 Primality Testing Algorithms 


Our aim is now to find a similar Test for N + 1, when the factorization of N — 1 


is not partially or fully possible. 


Remark 4.4. Let p,q be two integers, so that p? — 4.q is not a square, then 
x’ + px + q have two distinct zeros ry. = § + f= —q. If we consider r; we get 


the following recursive formula ; 


Proposition 4.6. Powers of r can be given in the following way 


mn __ V(m) +U (mn). — 4g 


where V(m) and U(m) can be calculated recursively as follows : 


U(0) = 0,U(1) = 1,U(m) = pU(m = 1) + qU(m — 2), 
V(0) = 2,V(1) = p, U(m) = pV(m — 1) — qV(m — 2), 
U and V are lucas sequences of p and q. 
Proof: see see [17]. 


Proposition 4.7. (Lucas Test) Let N be an odd integer. If there exists 6 with 
(2) = —1 and for every prime factor r of N+1 there exist some p and q with 
p? — 4q = 6 such that 


n+l 
r 


U(N +1) =0 mod(N) & U( ) £0 mod(N) 
are satisfied, then N is prime. 


Proof: see [17]. 
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4.6.1 Test 


Now we will give N — 1 algorithm by means of a pseudocode (only for partially 


factorized case). 


ALGORITHM:N + 1 Test (Partially factorized N + 1) 
Input: N € N, N is odd, P is a prime divisor of N + 1, and Q = [[i_ pi isa 
divisor of N + 1 with prime factors p,’s such that N +1 = Q.P with Q < P. 


Output: ’prime’, or ’composite’. 


1. Choose r,s such that gcd(r,s) = 1, 


2. If (4) # -1, then GOTO 1, 
3. If V(4#) £0 mod(N), then GOTO 1, 
4. If V(2) #0 mod(N), then GOTO 1, 


5. Return ’prime’. 


4.6.2 certificate 


As in the case of N — 1, we can get a certificate for N + 1 tests in terms of the 
parameters r,s. As we know that here r depends on the number s, we can choose 


also r = 1 if s is even, and r = 2 if s is an odd integer. 


4.6.3. Special primes 


We know by Corollary 2.2 that if N = 2” —1 is prime, then n must also be prime. 
Recall that we say such primes Mersenne Primes. One can use the so-called N+1 


tests much more efficiently. 


4.7 ECPP Algorithms 


As we have already seen from the above two sections, if we have the partial 


factorization of N — 1 or N +1, there is a version of inverse of Fermat’s little 
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theorem. With some additional requirements it is not actually a difficult problem 
to be able to test the primality of a given number. It is also clear that these 
algorithms are somewhat special, as they need the factorization of N — 1 resp. 
N+ 1. The first general purpose primality proving algorithm was introduced 
in 1979 by Addleman, Pomerence and Rumely. This algorithm is called Jacobi 
Sum Test and based on the group rings of cyclotomic extensions. The idea of this 
test is therefore also to do with a generalization of Fermat’s little theorem. The 


c-log log logN’) for some constant c > 0. 


running time of this algorithm is O((logN) 
Hence, it is almost a polynomial time algorithm. However the algorithm was not 
practical. Cohen and Lenstra developed a practical version of this algorithm and 


is of use also in practice. 


The reason why ECPP Algorithms are superior in practice is that it gives 
a short primality certificate (or certificate of primality), that is once given the 
parameters of the algorithm it is much more easy for the second party to verify 
the result ( in our case prove or disprove the primality of the number which was 
considered to be prime ). Jacobi Sum test cannot give such a certificate, that is 
second programmer has to write and execute the entire test once more, though 
it is slightly faster than our ECPP Algorithms up to 600-700 digits. 


4.7.1 Test 


Here we will explain the algorithm based on elliptic curves over finite fields, in- 
stead of using the suitably strong generalizations of Fermat’s theorem, we will 
use the group of rational points of elliptic curves over Fy itself. Now at the first 
step we will morally certain that our number N is prime, i. e. it has passed the 
probabilistic primality proving tests such as Sollavay-Strassen and Miller-Rabin. 
Hence we will work as if N was a prime, assuming for example that each non-zero 
element modulo N is invertible. In the event that there exist some non-invertible 
elements modulo N, we will immediately stop the algorithm and give a non- 
trivial factor of N by taking a GCD with N (for example by using extended 
GCD Algorithm). We will therefore consider an elliptic curve over Z/NZ. It 
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means that we consider a Weierstrass equation y? = 72+ ar+ba,b € Z/NZ, 
(4a3 + 27b”) € (Z/NZ)* (it is not necessary to consider general Weierstrass equa- 
tion as (N,6) = 1). Furthermore, we will perform the group operation of rational 
points of our elliptic curve as if N was a prime. Hence, we can assume from now 


on that all computations can be performed without any problems. 


Our basic strategy in our ECPP Algorithm is the so-called DOWN-RUN strat- 
egy of the following theorem, which is the elliptic curve analog of the theorems 
of N —1 and N +1 tests. 


Theorem 4.9. Let N be a positive integer coprime to 6 and different from 1. 
Let E be an elliptic curve modulo N. Assume that we know an integer m and a 


point P € E(Z/NZ) satisfying the following conditions. 


1. There exists a prime divisor q of m such that 
q> (VN +1) 


2 ee S On = (05120) 
3. (@).P = (w:y:t) with t € (Z/NZ)* 
Then N is prime. 


proof: Assume that N was not a prime Let p be the smallest prime divisor of 
N in E(Z/pZ),the image of P has order a divisor of m but not divisor of m/q as 
t € (Z/pZ)*. Since q is a prime q divides the order of the image of P in E(Z/pZ), 
ie. g <| E(Z/pZ) |. By Hasse’s Thm. g < (,/p +1)”. Since p < VN (as being 
the smallest prime by assumption) we get q < (WN + 1)? which is trivially a 


contradiction to our assumption. 


Now we are facing with 3 main problems to solve here namely, 
e How to choose the elliptic curve? 


e How to find P? 
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e How to choose m € N? 
Now the following proposition gives the answer of the second and third question. 


Proposition 4.8. Let m =| E(Z/pZ) |. If for a prime number gq dividing m 
q> (VN +1)? 


is satisfied then there exists a point P € E(Z/NZ) st. m.P = Og = (0:1: 0) 
and (%).P = (x:y:t) with t € (Z/NZ)*. Note that m =| E(Z/pZ) | can be 
computed as if N was a prime. 

The ECPP (elliptic curve primality proving ) algorithms is given then as fol- 


lows; 


ALGORITHM:ECPP 
INPUT: a number N € Z, whose primality will be (dis)proved. 
OUTPUT: If N is composite , a divisor of N, if N is prime return ’ prime’. 


1. choose a non-supersingular elliptic curve E over Z/NZ 
2.m<-| E |; 
3. choose a prime number q > (WN +1)? such that g | m; 


4. Choose a ’random’ point P € E; 
4.1 If m.P £0 go to 4; 
At me = 0 go to 4; 
4.3 if there exists an error return the divisor of N (extended GCD algorithm) 


5. return ’prime’. 


As we see in this algorithm, we reached an algorithm analog to the one that 
we developed in N — 1 and N +1 tests. As we already explained these tests are 
special since they need the partial or full factorization of N—1 or N+1. However, 
if we change the group Fy with the group of elliptic curves over Fy, we can reach 


a general primality proving algorithm, which also, in contrast to Jacobi sum test 
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and its variants, gives us a chance to reprove or disprove the result that we have 
tested. For further discussions on short prime certificates see the next chapter. 
Further, the idea is unchanged, namely the so-called DOWN-RUN strategy. We 
get intermediate prime candidates, and applying the DOWN-RUN strategy, we 
get the following; 


Remark 4.5. The primality of a number N can be reduced to the primality of 
the smaller prime candidates gq < N by means of the above ECPP Algorithm. 
Moreover, applying this algorithm recursively, we can prove the primality of the 
given prime candidate N just by trial-division or N — 1 test, as we can get an 


intermediate prime candidate g < 10". 


After introducing our algorithm, we have to deal with the following problems, 
which are actually coming together with the results of the theory of arithmetic of 
elliptic curves over C or Fy in Chapter 3, and the results from Number Theory 


and Algebraic Number Theory in Chapter 2. 


e How can we choose elliptic curves? 


e How can one compute the cardinality of the group of rational points of 


elliptic curves over finite fields, whose characteristic is ’big’? 
e Is this algorithm practical? 


Our basic difficulty in our algorithm is to find m =| E(Z/pZ) |. We will discuss 
in detail the methods (both theoretic and practical) in the next chapter. After 
that we will give the complexity analysis of the Algorithm in chapter 6 and in 


chapter 7 we will give the implementation details. 


As we already see, we need in this case also an elliptic curve E over Zy with 
the property that it has a prime divisor, which satisfies the condition > (WN-+1)?. 
Furthermore, we need also a point P on this curve which satisfies the conditions 
of the Theorem 4.9. That means we have a probabilistic algorithm, although the 


result is always true and reprovable. Note that in case N is not a prime, it is 
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not possible to terminate the algorithm, but if we insert the condition of GC'D 
with the intermediate result, we will get a divisor of N and which also gives us a 


chance to detect the divisor of N, for the case N is composite. 


4.7.2 certificate 


As we already witnessed in N—1 and N-+1 tests, we can apply in ECPP algorithm 
also the so-called DOWN-RUN strategy here we get recursively the intermediate 
prime candidates: 

No = N,Ni(=49),--: 5 Nise 


Definition 4.3. No = N(= q), Ni(= q),-°: , Ni(= w),--: with corresponding 
elliptic curves E; and the cardinalities m,;, are called primality certificate by 
means of ECPP. 


In contrast to the Jacobi sum test, we can get with these certificate candidates 
a certificate algorithm, which verifies the result in a much more little time than 


original algorithm. 


Remark 4.6. As we already explained this, algorithm gives a short certificate 
by means of m,’s . It gives a possibility that anybody can prove to his or her 
satisfaction the primality of N using much less work than executing the original 
Algorithm. 


4.8 Primality Testing in reality 


We can of course combine all of the algorithms discussed in this chapter so as 
to obtain a true primality testing method, which may be used in cryptographic 


protocols such as Diffie-Helmann and ElGammal. 
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ALGORITHM:A Combined Primality Testing 
INPUT: a number N € Z, whose primality will be (dis)proved, 
OUTPUT: If N is composite , a divisor of N, if N is prime return ’ prime’. 


1. Test, if N is coprime to 30. Ifnot return {’N’ has a divisor gcd(N, 30)}; 


2. Test, if N is divisible by any elements p of prime list up to < 10?° (trial 


division) if yes return {?N’ has a divisor p}; 


3. Test, whether 28~! = 1 mod(N) (almost all composite number can be 


therefore detected), if not return {? N’ has a divisor p}; 


4. Factorise N—1 and terminate N—1 algorithm, if we have answer ’ composite’ 


return {’?N’ has a divisor p}; 


5. Factorise N+1 and terminate N+1 algorithm, if we have answer ’ composite’ 


return {’?N’ has a divisor p}; 


6. Terminate Miller-Rabbin Algorithm with a given bound (parameter), if we 


have answer ’?composite’ return {’?N’ has a divisor p}; 


7. terminate ECPP algorithm, if we have answer ’composite’ return {’N’ 


has a divisor p}; 
8. return {’ prime’ }. 


Note that one can also use in step 7 Jacobi sum test, if there is no need to 
certify the primality of the number. The algorithms of Jacobi sum and ECPP have 
been also combined methods based on the concept of ‘dual elliptic primes’ (see 
[28]). 


Ixvii 


CHAPTER 5 


ECPP (ELLIPTIC CURVE 
PRIMALITY PROVING) 
ALGORITHMS 


We have basically explained the theory of primality testing algorithms and ECPP 
algorithms in the last chapter. Our basic problem now is to determine, as we dis- 
cussed, the order of the group of rational points of elliptic curves over finite 
fields. One method is due to Schoof. His algorithm is a Baby Step-Giant Step 
algorithm based on the theorem of Hasse, which computes m =| E(Z/pZ) | in 
time O(log®N). The ECPP Algorithm, which uses the Schoof’s algorithm so as to 
find m =| E(Z/pZ) |, is due to Goldwasser and Kilian. It was showed that under 
reasonable hypothesis on the distribution of prime numbers in short intervals, the 


expected running time of the algorithm is O(log!?.N), hence is polynomial in logN. 


The theoretical advance has been made by Adleman and Huang, by proving 


the following theorem. 


Theorem 5.1. There exists a probabilistic polynomial time algorithm which can 


prove or disprove that a given number N is prime. 


Their idea is to use, in addition to elliptic curves, Jacobians of curves of genus 
2, and a similar algorithm to the one like Goldwasser and Kilian. Although, their 
algorithm is not practical, they proved the above theorem, see [25], i. e. they 
found an algorithm which runs in polynomial time. Of course both Goldwasser 
and Kilian and Jacobi Sum tests are not of that type since only the expected 


running times are polynomial, but the worst case may not be! 
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5.1 Goldwasser-Kilian ECPP Algorithm 


Goldwasser & Killian used the same idea of the ECPP-Algorithm that we ex- 
plained in last chapter. They use the so-called Schoof Algorithms to find the 
cardinality of the group of E(Fy). 


5.1.1 Schoof’s Algorithms 


Problem: To find | £ |. For every point P € E(F,) with n = ord(P) we have a 
k €N such that k.n =| E |. 
= By Hasse’s theorem k.n € [¢ + 1— 2,/g,q+1+4 2./q] =: I. 


Observation: If ord(P) > 4,/q, then there exists exactly one k € N such 
that k.n € I (and hence k.n =| E |). 


Baby-Step Giant-Step Algorithm 
Idea: 


e Choose a random’ point P € E(F,) and verify that (in apprx. ,/q steps) 
ord(P) > 4,/q. 


e Determine the unique number k.n € I with k.n.P = O (and hence | E |). 


ALGORITHM:A Baby-Step Giant-Step 


1. Initial Step; 


e Set h := 2,/q, hence | EF |€ [q+1—h,q+1+Al, 


e Define ¢’ := trace(¢) —h. Then | & |= ¢+1—trace(¢?) =q+1-—h-t 
with t’ € [0, 2h], 


e Set m := [V2h] = [2/q] => Ja,b © {0,1,---,m— 1} such that 
t=am+b. 


2. Baby-Step 


lxix 


(a) For b<m: 


i. compute b.P and store in a list, 


li. b— O+ 1. 
3. Giant-Step 


(a) For b <m: 
i. Compute (¢+1+h—-am).P, 
ii. Compare, if (¢+1+h-—am).P =).P. Ifso return {t’ = am+b}, 
iii. Ob b+1. 
4, Return {g+1-—t)+h}. 


By the construction we have am+b=t' € [0,2h] = trace(¢) =t’-h=> 
| E |= q+1-—-trace(¢) = q+1-—t' +h, which proves hence the correctness of 


the above algorithm. 


Schoof’s Algorithm 


In this case we will try to find the trace t = trace(@), where ¢ the Frobenious. 


As we know from the functional equation | E(F,) |= q+1-t. 
Idea: Compute at the first t modulo p for all p prime. 
Chinese Remainder Theorem: throughout the equations t mod(p;) for i = 


1,--- ,k, we can determine t mod(p; --+p,) uniquely. 


We know that t € [-2,/q,2,/q| (by Hasse) so that t is uniquely determined 
by tmod(p;) fori =1,...,k if py---pz > 4,/q. It is meaningfull to start with 


Pi, P2,P3,+°* = 2,3,95,°°> 


ALGORITHM: Schoof’s Algorithm 
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1.Step: Trying to find a p-torsion point P on E, where p is a prime (P # 0), 
not neceserally P € E(F,). We can find this point by means of modular polyno- 
mials. 

Let [m] : E — E is a morphism, i. e. there exist homogene polynomials 
Onis Wins eucd that [CP ) = Oa 2 Wa Pa): 


These polynomials are known and written recursively as (assuming W.L.0.G.) 
z=1: 
wo(X,Y) = 0, W3(X,Y) = 3X4 + 6aX? + 3dX — a? 
wi(X,Y) = 1, va(X,Y) = (2X? + 100X4 — 10a?X? — 2baX — 2a — b?)yo 
Wo(X,Y) =Y, Pomsi(X,Y) = Ymse-¥3, — Ym-1Va, m > 0 
Vom( X,Y) = go (Ym 2Vin gs rc Pm—2Vin+1)0m- 


P is a p-torsion point = [P|(P) = O = (0: 1: 0) is the unique point at 
infinity = ~,(P) = 0. 
In fact: P is a p-torsion point on E @ Y* = X?+aX +b and Wm(X,Y) = 0. 
W.L.O.G. we can assume that w,,, is linear (substitude the non-linear terms with 
the first equation). Then we can solve w,, with respect to Y, namely h,,(X). 
Therefore: P = (x: y:1) € Ewithp.P =O Sh,,(r) =0& Y? = X3?+aX +0. 
2.Step: For 7) =0,--- ,p—1, test whether now w¢(P) = ¢7(P)+q.P, where 


@ is Frobenious and P is p-torsion point. 


If YES: t = w mod(p) then by Corollary 2.1 part 2, we have a functional 
equation 
o+q—-td=0 


so we have tio(P) = ¢°(P)-+9.P = t.6(P) > 6((W—t)p) = 0 > (w—t)p € Ker(¢) 
Ker(d) = {(a:y: 2) | (e4,y%, 24) = (0:1: 0)} = {(0:1:0)} = {O} 


=>(~—t)p=0> p|y-—t>t=v mod(p). 
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Hence we get t modulo p, then by means of Chinese Remainder Theorem 
(CRT), we will get t mod(p,---p,), and hence | FE |= q+1-—-t. Note that this 
algorithm was improved by Atkin and Elkies for details see [29], [48]. 


5.1.2 ECPP Algorithm (Goldwasser-Kilian) 


In this section, we will give the algoritm due to Goldwasser & Kilian in a pseu- 
docode due to Cohen {1}. 


ALGORITHM:ECPP Algorithm (Goldwasser-Kilian) 
INPUT: a number N € Z, whose primality will be (dis)proved, 
OUTPUT: If N is composite , a divisor of N, if N is prime return TRUE. 


1. Initialize Set i — 0 and N; — N. 


2. Is N; small? If N; < 2'°, trial divide N; by the primes from the list up to 
2». If N; is not prime GOTO step 9. 


3. Choose a random curve Choose a and 6 at ’random’ in Z/N;Z, and 
check that 4a? + 27b? € (Z/N;Z)*. Let E be the elliptic curves whose affine 


Weierstrass equation is y? = x? + ax +b. 


4. Use Schoof Using Schoof’s Algorithm, compute m <—| E(Z/N;Z) |. If 
Schoof’s algorithm fails GOTO step 9. 


5. Is m OK? Check whether m = 2q¢ where qg passes the Miller-Rabbin test 
(or more generally, trial divide m up to a small bound, and check that 
the remaining factor gq passes the Miller-Rabbin test and is larger than 
(\/N; + 1)°). if this is not the case GOTO step 3. 


6. Find P Choose at ’random’ « € Z/N;Z until the Legendre (or Jacobi) 


gata) 
Ni 


most). Then compute y € Z/N;Z such that y? = 23+ ax +b. if there is a 
failure GOTO step 9. 


symbol ( is equal to 0 or 1 (this will occur after a few trial at 
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7. Check P? Compute P,; — m.P and P, — (m/q).P. If during the computa- 
tions some division is impossible GOTO 9. Otherwise, check that P; = Op, 
i. e. that P, = (0: 1: 0) in projective coordinates. If P, 4 Oz, GOTO 
step 9. finally if P» = Og, GOTO step 6. 


8. Recurse Set i —i+1 and N; — q and GOTO step 2. 


9. Backtrack (We are here only when N; is not prime, which is unlikely 
occurence.) If i = 0, output a message saying that N is ’composite’ and 


terminate the algorithm. Otherwise, set 7 — 7— 1 and GOTO step 3. 


Remark 5.1. As stated in the algorithm, if N is not a prime, the algorithm may 


run indefinitely and so should perpaps not be called algorithm in this sense. 


5.1.3 certificate 


The results that we introduced in the last chapter can be without any reserve 


applicable. 


5.2 Atkin’s ECPP Algorithm 


We see in this chapter and chapter 3 that the basic problem to be able to deal 
with our primality proving algorithms is that we have to find the size of the 
group of rational points of elliptic curves over a finite field F,. This problem 
is solved in Goldwasser-Kilian algorithm using the theoretical algorithm due to 
Schoof. However, Schoof’s Algorithm and its variants seem almost impossible to 
implement. We will therefore use the properties of elliptic curves over finite fields 


related to complex multiplication, that we introduced in chapter 3. 


5.2.1 Generating Elliptic Curves with Complex Multili- 


cation 


As we already defined in chapter 3, an elliptic curve has Complex Multiplication 
(CM), if End(£) is strictly bigger than Z. By theorem 3.10, j(7) is an algebraic 
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integer of degree hp. If Z{r] is the maximal order of some imaginary quadratic 
number field K, then H = K(j(7)) is an extension of K of degree hp. This is 
actually the maximal unramified abelian extension of K. As we already explained 
in theorem 3.10, AH is called the Hilbert class field of K, i. e. it is a field under 


which every ideal in Z|r] will become principal when considered as an ideal in Zy. 


It is required to find the Hilbert class polynomial, Hp(x), of theorem 3.10. 


Qi0T 


An intermediate approach will here be used to do this. Set g = e*'"7, and 


24 
A(r) =4q ( Ae S°(-1)” (Gren)? 4 gr) 
n>1 


This can be computed as if it was written. Then we will use the well-known 


theorem on modular forms that 


On 12 
Bia D7 Gr = i ae 
99 93 ‘i 


2 


Now the formula that we will use for computing 7(7) is 


(256 f(r) + 1)? 


(0) = 


where f(T) = nee Now we will give the algorithm to find the Hilbert class 


Polynomial due to Cohen. 


ALGORITHM: Hilbert Class Polynomial 
Input: Given a negative discriminant D 
Output: The monic polynomial of degree hp in Z[X] of which j((D + VD)/2) 


is a root. 
1. Initialize Set P — 1, b — Dmod(2) and B <— |,/| D | /3]; 
2. For = 0* tet do: 


3. Initialize a Set t — (b? — D)/4 and a — maz(b, 1); 
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4. Test If a + t GOTO step 4. Otherwise compute j — j((—b + VD)/(2a)) 
using the above formulas. Now if a = b or a? = t orb = 0 set P — P.(X—J), 
else set P — P.(X* — 2Re(j)X+ | 7 |?); 


5. Loop on a Set a~—a-+l. Ifa <t, GOTO step 3; 


6. Loop on b Set b< b+ 2, if b< B GOTO step 2, otherwise coefficients of 


P to the nearest integer, output P and terminate the algorithm. 
We need to state a remark due to Cohen: 


Remark 5.2. The final coefficients of P (known to be integers) must be computed 
with an error at most 0.5 For this, we need to make a priori estimate on the size 
of coefficients of P. In practise, we look at the constant term, which usually 
not far from being the largest. This term is equal to the product of values 
j((—b + VD)/(2a)) over all reduced forms (a,b,c), and the modulus of this is 
approximately equal to e™VIPI/22) hence the modulus of the constant term is 


relatively close to 10*, where 


eo 


In(10) 


where the sum running over all reduced forms (a, b,c) of discriminant D. 


Construction of elliptic curves with CM 


Instead of taking ‘random’ elliptic curves as in Goldwasser-Kilian algorithm, we 
will choose elliptic curves with complex multiplication by an order of an imagi- 
nary quadratic number field K = Q(VD) where N, our prime candidate, splits 
as a product of two elements. This will enable us apply the theorem 3.15 due to 


Deuring which will give us immediately the cardinality of E(Z/NZ). 


In this case we will work as if N was prime, too. We must find a negative 
discriminant D such that N splits as a product of two elements (so as to ensure 
ourselves that the curve is not supersingular), and hence N is not inert in K. This 


can be acchieved by means of Cornacchia’s algorithm of Chapter 2. Applying 


Ixxv 


this algorithm repetitively to get a solution of 2? + Dy? =4N we can find such 


a discriminant D. Once such a pair (x,y) is found than we have 


~_ttyvD 
= anar ae 


now by applying Deuring, we get 
m=| E(Z/NZ |= N+1—-a-7=N41-c. 


We know that m = p+ 1-—t, where ¢t is the trace of Frobenius. Recall that 
t =a+7, where 7 is an element of norm N. A solution by means of Cornacchia 
of x? + Dy? =4N means that 


xu+ yVD 
T= +—__. 
2 
Then, the order N + 1+ 2 will be the order of quadratic twist of E. Hence, 
by theorem 3.14 in general case we have just these two elliptic curves up to iso- 


morphism (£ and its quadratic twist), which actually proves the following lemma: 


Lemma 5.2.1. Suppose E and E" have the same j-invariant but not isomorphic 
to each other over a field F,, where p is a prime. If j #0 and j #1728, then E’ 
is quadratic twist of E andifE=p+1—t and EL =p4+1+t. 


Proposition 5.1. Let w(D) be the numbers of roots of unity in the imaginary 
quadratic order of discriminant D, hence w(D) = 2 if D < —4 (as in the above 
case!), w(—4) = 4 and w(—3) = 6. Then there exist exactly w(D) isomorphism 
classes of elliptic curves modulo N with CM by the imaginary quadratic order of 


discriminant D 


Proof: immediate from thm. 3.14. 

Above proposition corresponds to the factorisation N = (Cm)(¢m), where ¢ 
runs over all w(D)-th roots of unity (note that this will in paricular correspond 
to the above situation ¢ = +1 if D < —4). 
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Our second aim is to write down explicitely the equation of these elliptic 
curves. Since N splits in the order of discriminant D, we have w(D) | N -—1 
and there exist (NV — 1)/2 values of g € Z/NZ ((N — 1)/3 if D = —3) such that 
gN\-D/P 4 1 for each prime dividing w(D). Choosing one values of g we get the 


following equations of elliptic curves 
Lemma 5.2.2. Let c = j/(1728 — j), where j = j(2e2). 


1. If D < —4 we have the following affine equation of ellitic curve E 
y? = x? — 3cg?**x + 2cg** for K =0 or 1. 


2. If D= —4 we have 
y? = 2° — g*x for0<k <3. 


3. If D= —3 we have 
y? = 23 —g* forO<k <5. 


Now at the end we will explain how we can find the roots of Hilbert class poly- 
nomials over Z/NZ. This is the problem of factoring, and hence finding the roots 
of, polynomials over finite fields. We will introduce the so-called Berlekamp’s 
algorithm to solve this problem, which is the generalisation of Gauss elemination 


in Linear Algebra. For details see [46] and [2]. 


ALGORITHM: Berlekamp’s Algorithm 
Input: Given a square-free polynomial f(x) of degree n in Z/NZ]|z]. 


Output: The factorization of f(x) into monic irreducible polynomials. 


1. For each 7,0 <7 <n-—1, compute the polynomial; 


x Nmod(f Ny 


j=0 
Note that each N;; is an element of Z/NZ. 


2. Form the n x n matrix @ whose (#, 7)-entry is Nj; 
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3. Determine a basis v;,--- ,v; for the null space of the matrix (Q—I,,), where 
I, is the n x n identity matrix. The number of irreducible polynomials of 


f(a) is then precisely t; 


4. Set F — {f(x)}. (F is the set of factors of f(x) found so far; their product 
is equal to f(x).) 


’ 


5. For 2 from 1 to t do; 


(a) For each polynomial h(x) € F' such that degh(x) > 1 do the following: 
i. compute gcd(h(x), u;j(x) — a) for each a € Z/NZ, 
ii. Replace h(x) in F' by all those polynomials in the gcd computa- 


tions whose degrees are > 1. 


(b) i— i411. 


6. Return the polynomials in F' as the factors of f(z). 


5.2.2 ECPP ALGORITHM (Atkin) 


Now we will introduce our ECPP Algorithm due to Atkin in form of pseudocode. 
As we saw in the proceeding section, our aim is now, instead of finding ’random’ 
elliptic curves and applying our DOWN-RUN strategy as in Goldwasser-Kilian, 
to apply the the theory of complex multiplication for elliptic curves and to use 
elliptic curves with complex multiplication in our general DOWN-RUN strategy. 
Our aim here is that we will give at the first the algorithm and in the following 
sections we are going to try to enhance the efficiency of the algorithm and to 
try to optimize some of the computational problems coming together with our 
algorithm and elliptic curve generation with CM in finite fields with large prime 


characteristic. 
ALGORITHM: ATKIN’S ECPP 


INPUT: a number N € Z, whose primality will be (dis)proved, 
OUTPUT: If N is composite , a divisor of N, if N is prime return TRUE. 
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. Initialize Set i — 0,n —0O and N; — N. 


. Is N; small? If N; < 2'°, trial divide N; by the primes from the list up to 
2. If N; is not prime GOTO step 14. 


. Choose next discriminant Let n — n+ 1 and D — D, If (2) 4 1, 
GOTO step 3. Otherwise, use Cornacchia’s Algorithm to find a solution,if 
exists, of the equation x?+ | D | y? = 4N. if no such solution exists, GOTO 
step 3. 


. Factor m Form = N+1+2,m =N+4+1-—2 (and in addition for m = 
N+1+2y,m=M+4+1-2y if D=—4, andm=N+414 (#4 3y),m= 
N+1-—-(2+4 3y)if D = —3), then factor m. 


. Does a suitable m exist? If, using the proceeding step, for at least one 
value of m we can find a q dividing m which passes the Miller-Rabbin test 
and > (y/N; + 1)?, then GOTO step 6, otherwise GOTO step 3. 


. Compute the elliptic curve If D = —4, set a —1,b< 0. If D=-—3, 
set a — 0, b — —1. Otherwise compute the minimal polynomial Hp € 
Z[X] of j((D + VD)/2). Then reduce Hp modulo N; and let j be one of 
the roots of Hp = Hpmod(N;,). Then set c — j/(1728 — j) mod(N;,), 
a — —3c mod(N;), b — 2c mod(N;). 


. Find g By making several ’random’ choices of g. find g such that g is a 
quadratic non-residue modulo N;, and in addition if D = —3, gNi-D/3 
1 mod(N;). 


. Find P Choose at random’ x € Z/N;Z until Legendre (resp. Jacobi) 


ae) 
Ni 


Then compute y € Z/N;Z such that y? = 2°+axz +6 (if this algorithm fails 
GOTO step 14) Finally set k — 0. 


symbol ( is equal to 0 or 1 (this will occur in a few trial at most). 


. Find right curve Compute Py — (m/q).P and P, <— q.P, on the curve 


whose affine coordinate is y? = «?+axr-+b. If during the computations some 
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10. 


11, 


12) 


13. 


14. 


division was impossible, GOTO step 14. If P, = O = (0: 1: 0) GOTO 
step 12. 


Setk —k+1. If k > w(D) GOTO step 14, else if D < —4 set a — ag’, 
b — bg’, if D = —4 set a~ ag, if D = —3 set b — bg and GOTO step 8. 


Find a new P Choose at ’random’ x € Z/N;Z until Legendre (resp. Ja- 
cobi) symbol joe) is equal to 0 or 1 (this will occur in a few trial at 
most). Then compute y € Z/N;Z such that y* = 2° + az + 6 (if this al- 
gorithm fails GOTO step 14). If P;) 4 O = (0: 1: 0) then GOTO step 


10. 
Check P If P2 = Og, GOTO step 2. 
Recurse Set 7<—7+1, N; — q and GOTO step 2. 


Backtrack (We are here when JN; is not prime, which is very unlikely.) 
If 2 = 0, output a message saying that N is composite and terminate the 
algorithm. Otherwise, set 7 — 7 — 1 and GOTO step 3. 


As seen in the algorithm, the basic difference comparing with Goldwasse- 


Kilian is to find the elliptic curves with CM, after that we try to use the same 


N —1 analog DOWN-RUN strategy, that is applying this algorithm we will get 


a list of probable primes and will try to prove the primality of smaller numbers 


and by means of this number we will conclude the primality of our actual prime 
candidate N. 


5.2.3. Problems and Approaches 


We are going to discuss in this section the problems that we have to deal with 


coming together with our above algorithm and introduce some approaches to 


make this algorithm more practical. 
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Factoring m 


Firstly, we have to check whether m satisfies the the condition which will enable 
us to apply the Theorem 4.9, i. e. that m is not prime, but its largest prime 
factor q is larger than (WN +1)?. Since we introduced a practical algorithm, we 
have to deal with this problem much more seriously than in Goldwasser-Kilian 
test. We will use firstly the trial divide m up to a much higher bound, and then 
we will use much serious factorization algorithms such as Pollard-p and p — 1 to 


factor m. Here are some approaches of Atkin to solve factorization problem: 


Pollard’s p: It is reasonable to find all factors less than 10° with this method. 
We decide to make 10° iterations of this method. Atkin accumulated the iterates 
of the function and do only two gcd’s. See [42], [41] and [11]. 


ECM: One can use the algorithm as described in [41] with the parametriza- 
tions of [42] and [41] for having curves with some prescribed small divisors. 
One of the basic problem is the storage. One concentrates just on the numbers 
< 10° see [11]. 


Pollard’s p — 1: Note that this is reasonable when testing the Cunningham 
numbers which have often the property of being congruent to +1 modulo some 
large known prime integer. So one can spend a little time to see whether we have 


a possibility to get a factor of m of that type. 


If m is not suitable to apply the conditions of theorem 4.9, we have still one 
more change, that is we can use the other elliptic curves up to isomorphism as 


we introduced in proposition 5.1 and lemma, 5.2.2. 


Which curve are we in? 


We have w(D) elliptic curves modulo N, where D is an imaginary quadratic 
discriminant (Corollary 5.1). However, a priori only one of these curves up to 


isomorphism corresponds a suitable value of m, and it is not clear which one of 
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these. For D = —3 or D = —4 it is easy to see a recipe which one is actually 
the right curve (As they are corresponding cases of 7 = 0 and 7 = 1728). For 
D < —4, such a recipe is almost impossible to find. What we can do is simply 
to compute m.P for our suitable m and a ’random’ P, (P # Q), on one of these 
two elliptic curves. If this is not equal to the identity, in projective coordinates 
m.P £ O=(0:1:0). If this is equal to identity we cannot conclude that we are 
on the right curve, but as P has been randomly chosen, we can probably still use 
the curve to satisfy the hypothesis of theorem 4.9. note also that, we do not need 
to prove mathematically that our curve is the right one, since our aim is just to 


satisfy the conditions of the theorem by means of a an elliptic curve over Z/NZ. 


What is a good discriminant D? 


In order to obtain the equation of the curve, it is necessary to find the values of 
j modulo N. This is very very difficult if the class number hp is large. Hence, 
we have to start with imaginary quadratic discriminant D whose corresponding 


class numbers fp is as small as possible. 


Remark 5.3. Some people have expressed concerns that using small class num- 
bers hp in cryptographic purposes. Because, the resulting curve may be then 
more amenable to some future attacks than more general field K. On average it 
is expected that the class number of hp will grow as O(VD), so small class num- 
bers are in some sence special as we explained in our ECPP algorithm. This may 
cause possible a future, as yet unknown, attacks to try to solve discrete logarithm 
problem (DLP), and hence cryptosystems, based on the groups of rational points 


of elliptic curves constructed with CM-method. For details see [7]. 


Let p be a prime number. Then according to chapter 1 that p is a norm 
in Q(VD) if and only if p is represented by the principal form of H(D). For 
practical purposes as we introduced above, we can assume that D < 10!° with 
hp < 50. They form a set D We have then presumably | D |= 10628 (For details 


11). 
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What happens if we have a theoretical failure? 


We explained in chapter 3 that we have a complex multiplication, i. e. if End(F) 


is strictly larger than Z, then we have two cases, namely 


1. End(£) is an order of an imaginary quadratic number field, 


2. End(£) is the maximal order of a quarternion algebra. 


Our curve construction corresponds the first case, i. e. we constructed ellip- 
tic curves which are an order of an imaginary quadratic number field. However, 
if we face with the case 2 (supersingularity case), then it is possible to have a 


theoretical failure: 


Ifq < (WN +1)?, then we cannot apply our theorem. In paricular, it cannot 
be used when the number of points, m, is a perfect square and Z/NZ is isomorhic 
to (Z/MZ) x (Z/MZ) with m = M?. This is exactly the case 2, i. e. if M | N-1. 
We have also then by Hasse 


VN-1<M<VN+41 


putting |VN| = a and N = a? +r, withO<r<2a+1sa<M <a4+1. 
Suppose after that at the first MM =a. Then as M | N —1 we have 


ajat+r—1 
that is a |r — 1. Then we have two cases. 


e When r = 1, one has N = a? +1 and E has complex multiplication by 
Q(D) with D = (m— N —1)?—4N = —4a?. 


e Whenr > las0 <r < 2a+1, we have r—1=aand thus N = a?+a+1. 
It is then easy to see that EF has complex multiplication by Q(./—3). For 
details see [11]. 
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Hilbert Polynomials 


Proposition 5.2. The norm of 7 in Q(j), which is the same as Hp(0), is the 


cube of an integer in Z. 


Proof see [11]. 

It is worth remarking here that we will not need to prove mathematically 
that our computations regarding 7 are correct, as the ECPP algorithm and cor- 
responding proof depends only on our calculations on the curves. We described 
a method and algorithms in section 5.2.1 with special emphasis on the numerical 


value of the function j(T). 


Atkin has checked and verified the result of the above proposition whether 
Hp(0) is a cube of an integer with error bound 0.5, as we have explained in 4.2.1 


for the discriminant D = 23 and got the following Hilbert class polynomial 
Ho3(X) = X* + 3491750.X? — 5151296875.X + 23375°. 


Weber Polynomials 


The coefficients of Hp(X) of 7 become larger if the class number hp grows. 
Although, one can afterwards reduce the results modulo N, to compute these co- 
efficients, we will need to use high precision computations of the values of j(7) for 
every quadratic irrational 7 corresponding to reduced imaginary quadratic form 
of discriminant D. Since these computations are independent of N, one of the 
solution might be that results of these will be stored before going into algorithm, 
but again as the coefficients are very large that even for a moderately sized list 


we would need an enormous amount of storage. 


In order to avoid such kinds of computational challenges, we are going to use 
meromorphic functions which are closely related to the function j(7) and which 
have analogous arithmetic properties. These functions are called Weber functions 


or Weber polynomials. Results are due to [11] and [7]. 
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Define the following Weber functions, using Dedekind’s 7-function, n(z): 


ral) = A (= Snes) 


Qri/n 


where ¢, = e€ . These functions are not all algebraically independent because 


they are all related to 7 via the equations (for more details see [11]); 


h?4 — 16 a h24* + 16 3 h24 + 16 3 
je Oe eh as 
1 2 


Weber calls (7) a class invariant if (7) lies in the Hilbert class field of Q(j). 
Clearly j(7) is a class invariant. Furher, with Weber functions one can determine 
much more class invariants. These give rise to polynomials, abbreviated usually 
by Wp(X), using almost the same idea to compute Hp(X). Finding roots of 
these polynomials, which have considerably small coefficients in general, will al- 


low us to recover the 7-invariants. 


Let —D be an imaginary quadratic discriminant and d be a square free pos- 
itive integer such that Q(./—D) = Q(./—d). Then we can apply the following 


conditions in turn 
e If D=3 mod(6) use p = /—D.73(rT), 
e If D=7 mod(8) use p = h(r)/V2, 
e If D=3 mod(8) use p = h(t), 
e If D = +2 mod(8) use pp = hy(T)/V2, 
e If D=5 mod(8) use pp = h(t), 
e If D=3 mod(8) use pw = h(r)?/V2. 


The only problem here is that if we have D = 3 mod(8) and D # 3 mod(6). 
In that case the degree of Weber polynomial Wp(z) is then 3hp not hp. So it is 
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a better idea then not to use such discriminants. 


We get above for the case D = 23 the following Hilbert class polynomial 
Ho3(X) = X?° + 3491750.X? — 5151296875.X + 23375°. 
If we use the Weber polynomials instead of Hilbert class polynomials we get 
Wo3(X) = X? — X — 1. 


The above example shows that how we can benefit by using Weber polynomials 
instead of Hilbert class polynomials. 
Furher discussions 


Some improvement can be done by examining the possible splitting property of 
the rational primes in the quadratic extension K = Q(./—d) and its Hilbert class 
field. This reduces the following lemma due to [7]: 


Lemma 5.2.3. Let d be a square free integer and p such that we can find a 


solution to the diaphontine equation 
p=? +dy’. 
Then we have the followings; 
1. If p =3 mod(8) then D = 2,3 or 7 mod(8). 
2. Ifp =5 mod(8) then D = 1 mod(2). 
3. Ifp =7 mod(8) then D = 3,6 or 7 mod(8). 
In particular, we must have (=) = (=?) =. 


As we introduced earlier one can perform the Berlekamp’s algorithm to factor 
the polynomials Hp over Z/NZ. However, this can be expensive, since for a 


given N, the complexity of such a computation is basically proportional to the 
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square of the degree of the polynomial, i. e. in our case ~ hp. These explain 
why we discarded the case D = 3 mod(8), since in this case, we might work on 
polynomials of degree 3hp. The methods to factor the polynomials over their 
genus field and other computational remarks related to these can be found in 


detail in the articel of Atkin. See [11]. 


5.2.4 certificate 


As we introduced both in general ECPP algorithm and in ECPP algorithm of 
Goldwasser & Kilian, it is also possible to verify the result of the algorithm, if we 
have built a sequence of intermediate probable primes together with the found 
elliptic curves and its number of points and a point on it satisfying the require- 
ments of theorem. This is as we already explained is a certificate of primality. 
This is generalization of the ideas of Pratt & Pomerence, see [45] and [44]. 
For example, Kaltofen and Valente agreed on the certification of 222-digit prime. 


They also checked the 1226-digit record. 


5.3 Remarks 


We introduced the Atkin’ ECPP algorithm. In contrast to the ECPP algorithm of 
Goldwasser and Kilian, this algorithm performs well in practice, since it is ample 
to use this algorithm to prove the primality of numbers from 100 to thousands 
decimal digits and more. It is possible with current technology of computers 
to test the arbitrary integers up to 400 digits in a few days on a single SUN 
3/60 workstation with this algorithm. Numbers with less than 800 digits can be 
performed in about one week of real time using distributed process on about 10 


workstations. 
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However, there are also some remaining uncertainties to find the best strategy 
for applying methods to larger probable prime inputs. The general operations 
which should be implemented efficiently and optimally , and whose timings on a 


particular machine are relavent to the strategy are: 


e Sieving and subsequent factorization of the number of points of groups of 


rational points of an elliptic curve, 


e Exponentiaton modulo a large prime p (and equivalent square roots, pseu- 


doprime tests), 
e Exponention on elliptic curves modulo a large prime p, 


e Solution of polynomial equation congruences modulo a large prime p. 
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CHAPTER 6 


ANALYSIS 


In this chapter, we are going to analyze the running time complexities of our 


ECPP algorithms due to Goldwasser-Kilian and Atkin, respectively. 


6.1 Preliminaries 


The following two theorems due to Heath-Brown and Lenstra, respectively, allow 


us to analyze our algorithm for uniformly distributed inputs. 


Theorem 6.1. Heath-Brown Call an integer y sparse if there are less then 
/y/2\log y| primes in the interval [y, y + |,/y]]. Then there exist a constant a 
such that for sufficiently large x, 


Il {y:y € (x, 22], y is sparse} |< 2°/®log® x. 


Proof: see [9]. 


Theorem 6.2. Lenstra Let p > 5 be a prime. Let, 


SC [p+1=|/al,p ++ |y/oll. 


If a curve given by (A,B), A, B € Z in Weierstrass normal form, over Z, is 


chosen uniformly, then, 


c |S|-2 


prob(| (A, B) |e S) > fogp Biol 


where c is a some fixed constant. 
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Proof: see [9]. 
Essentially the size of a random’ group is at most O(1/log p) times less likely 


to have a particular property as a randomly selected integer in 


Ip +1—|vVP],.p+1+ Lvell, 


provided that | S |> 2. 


6.2 Analysis 


We are going to firstly have a look at the analysis of random elliptic curve genera- 
tion, which satisfies the conditions of our main theorem 4.9. We now analyse the 
running time of elliptic curve generation part satisfying our condition in terms of 


the number of points in an appropriate interval around p/2. Define S(p) by 


S(p) = {age pte PIE]. cis primes. 


2 ; 2 


Lemma 6.2.1. Let p > 5 be ak-bit prime, and suppose that | S(p) |= O(,/p/log* p). 
Then prime number generation will run for expected O(k°t®) steps before it ter- 


minates. 
Proof: see [9]. 


Lemma 6.2.2. Let p > 5 be a prime, and let (A,B) be chosen uniformly from 


curves over Z,. Let also S(p) be defined as above. Then 


| S(p) | =2 


prop(| (A, B) | is twice aprime) > : 
(| (A,B) | ian 2 


EI, 


where c is some fixed constant. 


Proof: see [9]. 
After introducing the basic facts which was used to analyse the ECPP algo- 
rithm of Goldwasser & Kilian, we are going to give the theorems which and their 


prove can be found in [32] and [24] in details. 
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Theorem 6.3. Suppose that there exist two positive constants c, and cg such 
that the number of primes in the interval [z;x + /2z] (x > 2) is greater than 
C1\/x(logx)~@. Then Goldwasser-Kilian algorithm proves the primality of N in 
expected time O((log N)'°T@). 


Theorem 6.4. There exists two positive constants cz and c, such that for all 
k; > 2, the proportion of prime numbers N of k-bits for which the expected time of 
1 


kloglog k 


Goldwasser-Kilian algorithm is bounded by c3(log N)1! is at least 1—cg27 


At the end we can summarize the analyzis of the algorithm as follows: 


1. Given an input of length k, the algorithm produces a certificate of primality 
that is of length O(k?), and requires O(k*) steps to verify. 


2. The algorithm terminates in expected polynomial time on every prime num- 


ber, provided that the following conjecture is true: 


CONJECTURE : (Aci, ¢) > 0)r(a + Vz) — n(x) > a 
og"! * 


for x suf ficiently large. 


3. There exist constants cj and cp such that for all k sufficiently large, the 
algorithm will terminate in expected c;k™ time for all but at most, 
9k 
pre2/tog tog k? 


of the inputs. In other words, the algorithms can be proved to run quickly 


on all but vanishingly small fraction of the prime numbers. 


As for Goldwasser-Kilian algorithm, we have only the heuristic analysis cited 
in [33]. Atkin and Morain found that the running time of Atkin’s ECPP is 
roughly O((log N)®t*). for some € > 0. Other implementation details and prac- 
tical considerations to make this algorithm more practical and more optimized 


was briefly discussed in chapter 5, and for further details see [11]. 
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CHAPTER 7 


IMPLEMENTATION, LIDIA CLASSES 
AND CONCLUSION 


7.1 Implementation details 


7.1.1 SINGULAR source codes Examples 


We will start with our implementations with a prime listing algorithm (like sieve of 
Eratosthenes) in programming language SINGULAR by using the prime funtion. 
Note: Limitation for the integers in SINGULAR (upper bound) is 2147483647. 


//The following function computes the list of primes given 
//in lower and upper bound from bigger to smaller 


//Written by Osmanbey Uzunkol... 


proc primelist(int a,int b){ 
list myprime; 
int temp=prime(b) ; 
myprime[1]=temp; 
int temp2=temp; 


if Caled). -T//iE 2: 
for(int i=2;temp>a;i+t+) {//if. 


temp=prime((temp2-1)) ; 


xcil 


if ((temp>a)&& (temp>2) ) { 
myprime[i]=temp; 


temp2=temp; } 


t//end of if. 
return(myprime) ;//end of if.. 
} 
else { 
list myprime2=primelist((a+1),b); 
int b=size(myprime2) ; 


list myprime3; 


for (int i=1;i<=b;i++) { 
myprime3li]=myprime2 [i] ; 
} 
myprime3[b+1]=2; 


return (myprime3) ; 


> primelist (45353109 , 45353264) ; 
Ke 
45353237 
[2]: 
45353207 
[ais 
45353201 
[4]: 


Xcill 


45353183 
[Sis 
45353173 
[6]: 
45353149 
ia 
45353111 


//Following programme tests whether the given prime candidate N 
//passes the trial-division algorithm as explained in the thesis 

//It computes the primes up to 32768 in a list and then tries to 
//divide the candidate any of this list elements. If one of the element 
//divides N then returns the prime, and proves that this number is 
//composite together with its divisor. If it returns 1 then we have a 


// (probable) prime. Written by Osmanbey Uzunkol... 


ring r=0,x,lp; //in order to use the type number to compute big integers 
proc isdivisible(number N) { 

list l=primelist(1,32768); //note that this option can be changed 

int temp=size(1) ; //depending on the situation... 

int i=1; 


while(i<=temp) { 


if ((N mod 1[i])==0){ 
if (1[i] !=N){ 
return(1[i]); 


else { 


return(1); 


by 
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}//end of if 


i++ 


Example: The following example illustrates and prove that given number is 
divisible by the prime 3251. 


> isdivisible(1992882373366515526677171625362176265267 366353667 16198487587 2441) ; 
// ** redefining b ** 


3251 


Example: The following example shows that the given candidate 1532986441051165789751670481 
0478278963595 1257974397 is (probable) prime. Although it is actually not, since 
153298644105116578975167048104782789635951257974397 = 9661373.15867169615034693203043 
402641092812547031489. 


> isdivisible(153298644105116578975167048104782789635951257974397) ; 


// ** redefining b ** 


//The following fuction computes the Legendre symbol for primes and Jacobi 
//symbol for integers in general as explained in the thesis. 


//Written by Osmanbey Uzunkol.. 


ring r=0,x,1lp; 
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proc Jacobi(number a,number n) { 
int 1; 
int s; 


number temp=a; 


a=a mod n; 
if (a==0) { 
return (0) ;} 
if (a==1) { 
return(1) ;} 
if (gcd(a,n)>1) { 
return(0); } 
else { 
while(temp mod 2==0) { 
temp=(temp/2) ; 
i++; 
if (i%2==0){ s=1;} 
else { 
if((m mod 8)==11|(n mod 8)==7) { 
s=1; } 


if ( ((@ mod 4)==3) && ((temp mod 4)==3) ) { 
s=(-s); } 


if (temp!=1) { 
number ni=n mod temp; 
int templ=s*Jacobi(n1,temp) ; 
return(temp!1) ; 


z: 
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else { 
if (i/2==0) aL 
return(1); } 


else { 
if((n mod 8)==1||(n mod 8)==7) { 
return(1) ; } 
else { 
return(-1); } 
} 
} 


}//end of else 


Example: Some examples of Jacobi funtion: For the first example as gcd(14414442441, 1626616611 
101713) = 7, we have; 


Second and third one illustrate the case of quadratic residue and non-residue, 


respectively. 


> Jacobi (64553633552 , 3232442001) ; 
1 
> Jacobi (77575775 , 288287376) ; 


//The following function may be used instead of primelist function in 


xcevil 


//fermattest and Sollovay-Strassen Test. 
//Written by Osmanbey Uzunkol.. 


proc base(int a){ 


list 1; 
int j=1; 
for (j=1; j<=a;j++){ 
1[jl=j+t; 
P 
return(1) ; 


//This function tests the primality (actually compositeness) 
//of the prime candidate N by using Fermat primality test 

//as explained in the thesis with the chosen prime base elements 
//between the below given bounds.Upper bound can be changed 
//within the limitations of integers in SINGULAR. 

//Note that with a fast multiplication methods as we explained 
//for elliptic curves the efficiency can be speeded up. If 

//the answer takes much time than one has to use C++ version. 


//Written by Osmanbey Uzunkol. 


ring r=0,x,lp; 

proc fermattest (number N){ 
if (isdivisible(N)>1){ 
return (0) ;} 

elsef{ 

number r; 

number temp; 


number exp=(N-1); 


xevill 


number j; 
list l=primelist (32768 , 33768) ; 
int k=size(1); 
int i; 
for(i=1;i<=k;it+) { 
r=1; 
for (j=1; j<=exp; j=jt1)f 
temp=1 [i] *r; 
r=temp mod N; 


if(r mod N!=1 mod N){ 
return (0) ; } 


return(1); 


Example: The compositeness of the candidate 64366536553727646563 was proven 
by calling the fermattest: 


> fermattest (64366536553727646563) ; 


// ** redefining b ** 


Furhermore, the (probable) primality of the following integer, which is a divisor 
of the above integer, was also proven. However, it takes lots of time as the 
multiplication procedure is slow in SINGULAR. Actually, if it takes more than 1 
minute, the answer is probably a probable prime but it is a better idea to check 


it in C++ version. 
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> fermattest (3608596543910279) ; 


// ** redefining b ** 


//This function tests the primality (actually compositeness) 

//of the prime candidate N by using Sollovay-Strassen primality test 

//as explained in the thesis with the chosen prime base elements(not random) 
//between the below given bounds.Upper bound can be changed 

//within the limitations of integers in SINGULAR. 

//Note that with a fast multiplication methods as we explained 

//for elliptic curves the efficiency can be speeded up. If 

//the answer takes much time than one has to use C++ version. 


//Written by Osmanbey Uzunkol. 


ring r=0,x,lp; 
proc sollovay_strassen (number N){ 
if (isdivisible(N)>1){ 
return (0) ;} 
elsef{ 
number r; 
number temp; 
number exp=((N-1)/2) ; 
number j; 
list l=primelist (32768 , 33768) ; 
int k=size(1); 
int i; 
for(i=1;i<=k;it++) { 
r=1; 


for (j=1; j<=exp; j=jt1)f 


temp=1 [i] *r; 
r=temp mod N; 


if(r mod N!=Jacobi(1[i],N) mod N){ 
return (0) ; } 


return(1); 


Example: We will give two examples one is composite the other is (probable) 
prime. However, the caution that we mentioned in fermattest is also the case 


here. 


> sollovay_strassen (424234251616626552525441551421) ; 


// ** redefining b ** 


> sollovay_strassen(91346224180575661878056249) ; 


// ** redefining b ** 


7.1.2 C++ source codes, used classes and Examples 


In this section, we will see some implementation of primality tests with the help 


LiDIA C++ library for Computational Number Theory. At the end by means of 


ol 


primeproof method developed by J. Hechler, see [30] for LIDIA, the implemen- 
tation of ECPP algorithm will be given in an example file written in C++ with 
examples. 

Here with the help of primelist function a list of primes in a given lower/upper 


bounds: 


//This programme computes a list of prime numbers given in 
//lower and upper bound. It is almost the same as wriitten 
//in SINGULAR, but it is more efficient 

//due to fast computational capability of LiDIA 

//written by Osmanbey Uzunkol 


#include <LiDIA/prime_list.h> 
#include <iostream> 
using namespace LiDIA; 
using namespace std; 
unsigned long * primelist(unsigned long lower,unsigned long upper) { 
unsigned long *prime; 
prime_list primelist(lower,upper) ; 
int 1; 
i=primelist.get_number_of_primes (); 
int j=0; 
prime[j]=primelist.get_first_prime() ; 
unsigned long temp=primeLil] ; 
while (j<i) 
{ 
jtt; 
prime[j] = primelist.get_next_prime() ; 
temp=prime[j]; 
} 


return(prime) ; 


Cli 


int size_primelist(unsigned long lower,unsigned long upper){ 
unsigned long *prime; 
prime_list primelist(lower,upper) ; 
int i; 
i=primelist.get_number_of_primes (); 


return (i); 


int main() 
{ 
unsigned long lower, upper, prime; 
cout << "Please enter lower bound: "; cin >> lower ; 
cout << "Please enter upper bound: "; cin >> upper ; 
cout << endl; 
prime_list p_list(lower, upper) ; 
prime = p_list.get_first_prime() ; 
while (prime) 
{ 
cout << prime << endl; 
prime = p_list.get_next_prime() ; 
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return 0; 


Example: the same example that we gave for primelist function for SINGU- 


LAR (note that in this time list is from smaller prime to bigger: 


Please enter the lower bound: 45353109 
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Please enter the upper bound: 45353264 


45353111 
45353149 
45353173 
45353183 
45353201 
45353207 
45353237 


int isdivisible( unsigned long N){ 

unsigned long p; 

prime_list pl(2, 10000000) ; 

for(p = pl.get_first_prime() ;p<1000000; p=pl. get_next_prime) { 

if (N%p==0) return(0) ; 

else return(1); } 
t 
#include <LiDIA/prime_list.h> 
#include <iostream> 
using namespace LiDIA; 
using namespace std; 
int main() 
{ 

unsigned long N; 

cout<<"enter the possible prime <10°14"<< N; cin>oN; 


cout<<end1; 


cout<<isdivisible(N) <<end1; 


return 0; 
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//This example programme computes Legendre-Jacobi symbol 
//as in the SINGULAR... 
//exaple written by Osmanbey Uzunkol.. 
#include <LiDIA/bigint .h> 
#include <iostream> 
using namespace LiDIA; 
using namespace std; 
int main(){ 
//In this programme we will compute 


//Jacobi/Legendre symbol of (a/n) 


bigint a,N; 

cout<<"Please enter the value of a: "; cin>>a; 
cout<<"Please enter the value of N: "; cin>>N; 

int i=jacobi(a,N); 

cout<<"The Jacobi(Legendre)-symbol is: "<<i<<end1; 


return (0) ; 


Example: As in the case of singular, three cases of Jacobi-symbol will be given 


as examples: 


please enter the value of a: 7176672728939384494949948949 
please enter the value of n: 82272666155561551666616617177100101 
The Jacobi(Legendre)-symbol is: 1 


CV 


please enter the value of a: 6546647437473783882871 
please enter the value of n: 6161652526626616117711172782271 
The Jacobi(Legendre)-symbol is: -1 


please enter the value of a: 10786846916586309307182037205410965 
please enter the value of n: 100000000181152552587186285254317809165567093021 
The Jacobi(Legendre)-symbol is: 0 


//The source code of fermattest of LiDIA will be given in this programme 
//example file written by Osmanbey Uzunkol.. 

#include <LiDIA/bigint.h> 

#include <iostream> 

using namespace LiDIA; 

using namespace std; 

int fermattest(const bigint & n) 

{ 

bigint tmp_a, tmp_n, res; 


register int a = 2; 


if (m < 2) 


return 0; 


if ((™@m == 2) || (mn == 3) II (m == 5) || @ == 7)) 


return 1; 


tmp_n.assign(n) ; 


dec (tmp_n) ; 


while (a <= 7) { 
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if (!remainder(n, a)) 
return 0; 

else { 
tmp_a.assign(a) ; 
power_mod(res, tmp_a, tmp_n, n); 
if (!res.is_one()) 
return 0; 

else { 

if (a == 2) 

a += 1; 

else 


+= 2; 


return 1; 

s: 

int main() 

a, 

bigint N; 

cout<<"please enter the prime candidate N : "; cin>>N; 
cout<<end1; 

if (fermattest(N)) cout<<N<<" is (probably) prime"<<end1; 


else cout<<N<<" is a composite number'<<end1; 


return 0; 


Example: The following two examples will show composite and (probable) prime 


cases, respectively 


please enter the prime cadidate N: 4343552525663633554245226366366355351 


cvii 


4343552525663633554245226366366355351 is a composite number 


please enter the prime cadidate N: 2543015553938550490663 
2543015553938550490663 is a (probably) prime 


//The source code of fermattest of LiDIA will be given in this programme 
//example file written by Osmanbey Uzunkol.. 

#include <LiDIA/bigint.h> 

#include <iostream> 

using namespace LiDIA; 

using namespace std; 

bool 

bigint::is_prime (const int bl) const 

a! 

static long a[10] = {3, 5, 7, 11, 13, 17, 19, 23, 29, 31}; 
long b, j, ok, 1, k = 0, sx; 


if (!longify(sx)) { 
// can not be converted to long 
if (sx <= 0) 


return false; 


if (sx == 2) 


return true; 


if (sx°<S 81). 4 
for. Ch S03) 't. <T102.4+4) 
it Gee == 5a (7 )) 


return true; 
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return false; 
Dr 
s; 


if (is_le_zero() || is_even()) 


return false; 


if (b1 <= 0) 


lidia_error_handler("is_prime", "#tests <= 0"); 


if (b1 > 9) 
b = 9; 


else 


bigint erg; 
bigint H(37), Q(*this) ; 
Q.dec(); 


bigint N_minus1(Q) ; 
while (Q.is_even()) f{ 
Q.divide_by_2(); 

k++; 


s: 


for (i = 0; i <= b; i++) { 


power_mod(erg, bigint(ali]), Q, *this); 


if (!erg.is_one() && erg.compare(N_minus1)) { 


j= 
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while ((j > 0) && !ok) { 
square(erg, erg); 


remainder(erg, erg, *this); 


if (!erg.compare(N_minus1)) ok = 1; 


Jes3 
} 


if (!ok) { 
return false; 
t 

t 

t 


for (; i <= bl; i++) { 

if (!compare(H) ) 

return true; 

power_mod(erg, H, Q, *this); 

if (!erg.is_one() && erg.compare(N_minus1)) { 
j=; 

ok = 0; 

while ((j > 0) && !ok) { 

square(erg, erg); 


remainder(erg, erg, *this); 


if (!erg.compare(N_minus1)) ok = 1; 


CX 


if (!ok) { 
return false; 
} 

J 


H = H.next_prime() ; 


return true; 


t 


int main(){ 
bigint N; 
cout<<"Please enter the prime cadidate :"; cin>>N; 
if (is_prime(N,10)) 
cout<<N<<" is (probable) prime"<<end1l; 
else 
cout<<N<<" is composite'<<end1; 


return 0; 


please enter the prime cadidate :6636536366366363636555626266263101 
6636536366366363636555626266263101 is composite 


CX1 


please enter the prime cadidate: 449017159180743482307697943 
449017159180743482307697943 is (probable) prime 


//A factorization example for use in N-1 or N+1 

//tests when we can factorize the intger fully. 

//Note that there are other factorizetion functions that 
//enable us to test the primality of N if the 


//partial factorization is available for N-1 or N+1. 


#include <LiDIA/rational_factorization.h> 
#include <iostream> 

using namespace LiDIA; 

using namespace std; 

int main() 

{ 

rational_factorization f; 

bigint n; 

cout << "\n Please enter a number: "; 

cin >> n; 

f .assign(n) ; 

f.factor(; 

if (f.is_prime_factorization()) 

cout<<"\n Prime Factorization: " << f << endl; 
else 

cout<<"\n Factorization: "<< f << endl; 


return 0; 


Example: an example of prime factorization of integer N in the form (pj, e;) 


cx 


where 
k 


N= [| where ps are prime; 
i=l 


Please enter a number: 722373666447774889299438843747747773738 
Prime Factorization: [(2,1),(137,1),(281,1), (4787,1) , (393373,1), 
(5327244139616992287109027 , 1) ] 


We will see the Cornacchia algorithms written in the bigint class of LiDIA due 


to the pseudocode (Modified Cornacchia’s algorithms) that we gave in chapter 2. 


bool cornacchia (bigint & x, bigint & y, const bigint & DD, const bigint & p) 
{ 

bigint x0, a, b, l, r; 

bigint D, tmp2, D_abs, p_four; 

bigint rr; 

bool r_is_sar; 


long s; 


if (!DD.is_negative()) 


lidia_error_handler("cornacchia", "D not negative") ; 
s = (4 - (DD.least_significant_digit() & 3)) & 3; // DD mod 4 


shift_left(p_four, p, 2); 
D.assign(DD) ; 


if (!is_prime(p) || !p.is_positive() || p == 2) 


lidia_error_handler("cornacchia", "no odd prime number") ; 


if ((-D) >= p_four) 
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lidia_error_handler("cornacchia", "|D| >= 4*p"); 


if (s != 1 && s != 0) 


lidia_error_handler("cornacchia", "D != 0 or 1 mod 4"); 
if (jacobi(D, p) == -1) { 

return false; // (D/p) = -1 -->no solution 

} 

else { 


ressol(x0, ptD, p); 
if (x0.is_even() != D.is_even()) 


subtract(x0, p, x0); 


shift_left(a, p, 1); 
b.assign(x0) ; 


shifts Tere cis p52) 5 
sqrt(1, 1); // 1 = floor(2*sqrt(p)) = floor(sqrt (4p) ) 


while (b > 1) { 
remainder(r, a, b); 
a.assign(b) ; 
b.assign(r) ; 


} 
square(1, b); 
subtract(a, p_four, 1); 


// a = 4p - b°2 now 


D.negate() ; 


remainder(r, a, D); 
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if (!r.is_zero()) f{ 
return false; 

} 

else { 

divide(r, a, D); 
r_is_sqr = is_square (rr, r); 
1f “Clriitscsgr):-{ 
return false; 

i: 

else { 

x.assign(b) ; 
y.assign(rr) ; 
return true; 


t 


Now at the end, we will use the primeproof class (see for more details [30] and 
[20]) to write down an example file in C++ and give examples of N—1, N+ 1 
and ECPP algorithms; 


#include <iostream> 

#include <LiDIA/bigint.h> 
#include <LiDIA/prime_proof .h> 
#include <LiDIA/certificate.h> 
using namespace LiDIA; 

using namespace std; 

int main() 


it 
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bigint N; 

cout << "Please enter the prime candidate : "; 

cin >>N; 

prime_proof proof; 

certificate c; 

proof .set_verbose(true) ; 

proof .set_ecpp_mode(1) ; 

proof .set_prime(N) ; 

bool success = proof.prove_prime() ; 
if (success) 

cout<<N<<" is prime"<<end1; 

else cout<<N<<" is not prime'"<<end1l; 


return 0; 


Please enter the prime candidate : 2142973051 
Primelength: 10 

Make the SPP test 

SPP: n-1=271l*q, 1: 1 q: 1071486525 

SPP: Test was succesful 


2142973051 is prime 


Please enter the prime candidate : 138934276198614100615367165789108366819377188 
1773889298737782991998387756530022001881727277301776266377277271 

Primelength: 109 
13893427619861410061536716578910836681937718817738892987377829919983877565300220 
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01881727277301776266377277271 is not prime 


Please enter the prime candidate : 614367291872088173452017745619376378920198837 
62567829919982778299100166355178390100988277164520918846551729001987262661567188 
17272663781899199882772891991000093838829928839928882999288891977177188818881177 
11000118811717 

Primelength: 219 
61436729187208817345201774561937637892019883762567829919982778299100166355178390 
10098827716452091884655172900198726266156718817272663781899199882772891991000093 
83882992883992888299928889197717718881888117711000118811717 is not prime 


We will finish this section by giving a primality proof by using ECPP in 
an easy to understand form due to [7]. Note that it is easy to verify and get 


certificate by means of intermediate datas below; 


1267650600228229401496703205653 

169317673849406496638751929789 535428649309014131591402355077 
1223116517107234371890879608558 348818700976692547697219665601 
1267650600228230776357544186344 

17647632229842057 16110037 


1764763222984205716110037 

1237106009019141934754397 824737339346094623169598 
498566265383685655850376 1698160958763013389415626 
1764763222981587729747968 

21321838780409719 
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21321838780409719 

5979072666605065 11093328037873283 
12289991207526417 5086330291908954 
21321839059327264 

636820759 


Using DOWN-RUN, we got the number 636820759. By calling the primelist 
function, we can easily see that this number is prime by means of trial divi- 
sion. Hence, we proved the primality of 1267650600228229401496703205653 by 
reducing the primality of it to the prime 636820759. 


7.2 Conclusion 


The aim of this thesis was to introduce modern primality testing methods and 
to explain the so-called Atkin’s ECPP Algorithm. Most of the primality tests 
were covered by means of explaining the necessary theoretical background coming 
from algebra, number theory and arithmetic of elliptic curves and by means of 
introducing the methods in an algorithmic approach. Furthermore, we introduced 
intensively the computational problems and solutions coming together with the 
theory of elliptic curves, in particular curves with CM. Additionally, approaches 
to make the ECPP algorithm more practical were also discussed. At the end 
of thesis, several programming examples of primality tests are given together 
with the examples of Atkin’s ECPP in computer algebra system SINGULAR and 
programming language C++, with the help of using LiDIA computer package for 


computational number theory. 
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